Malware Analysis Report

2025-01-02 02:12

Sample ID 240129-1zwspaddbk
Target 80fae472f8dc5bcee4ed2191088a18c7
SHA256 9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63

Threat Level: Known bad

The file 80fae472f8dc5bcee4ed2191088a18c7 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Detect XtremeRAT payload

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 22:05

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 22:05

Reported

2024-01-29 22:08

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 832 set thread context of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1936 set thread context of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1932 set thread context of 2884 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2224 set thread context of 1056 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1920 set thread context of 1492 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2392 set thread context of 2372 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2852 set thread context of 2288 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1680 set thread context of 872 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2788 set thread context of 2596 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2868 set thread context of 2664 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 324 set thread context of 2528 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2980 set thread context of 2000 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1816 set thread context of 2452 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1236 set thread context of 2932 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2848 set thread context of 2140 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1884 set thread context of 2344 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1372 set thread context of 1172 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2736 set thread context of 740 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1056 set thread context of 2140 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 868 set thread context of 1372 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2656 set thread context of 864 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1644 set thread context of 1804 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2068 set thread context of 1500 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1172 set thread context of 2040 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3036 set thread context of 2524 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2656 set thread context of 2068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\downswae\saaa.exe
PID 3104 set thread context of 3152 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3300 set thread context of 3348 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3492 set thread context of 3544 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3688 set thread context of 3740 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3884 set thread context of 3932 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\downswae\saaa.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
File created C:\Windows\downswae\saaa.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 832 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1124 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1124 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1124 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1124 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1124 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1936 wrote to memory of 2756 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2640 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2640 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2640 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2640 N/A C:\Windows\downswae\saaa.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\__PE-SCRYPTED.BIN

MD5 8051053e3d903fbb35073cfe640a75e9
SHA1 e9c9c68de3155f94fff20a0fc1ecf3479c96239e
SHA256 c31522f6755d2e5d161e2c9ae6f4f705c85ac301ae5da3b7d64e5e36f31305fc
SHA512 9198e7dbea9e722a74755c09e13e7fad01fb0431494a5049210388baee6e4c3ae3ce5048baca85199ca908cc454f5c7c91081684a99bcc637ec0ce077299caeb

memory/1124-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1124-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1124-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1124-13-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1124-15-0x0000000000C80000-0x0000000000C95000-memory.dmp

\Windows\downswae\saaa.exe

MD5 80fae472f8dc5bcee4ed2191088a18c7
SHA1 c642feadabeef69b0b767ad6fa62dfcac323d835
SHA256 9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63
SHA512 8f0cc461be72ac418ab2788913c89ed57e5fa5322fefd6cda0934e95fd24f9cb826f082791f3254f890c46ad969b9ad9edac210b3fb8ffb13fed38eab7ee6199

memory/1124-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2756-43-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 135b08bad59f12918f90ce3e59c5ad9a
SHA1 75ccf34aa643b63b48629bfd3c507e96c9f6019f
SHA256 75c7341da8f0235c3fd45140c5b38f3892162f3759ab42c1112c8956e8d8bacb
SHA512 2e01b60fc1272388763e54f62e6efa1d3758fe4dce3017b90b64b751aa277473aa4a0315ae1dd449c8f598b9889a3e9c9f5f93ad58f145ba0721a8880f1121a5

memory/2756-46-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2884-63-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2884-67-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1056-85-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1492-103-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1492-107-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2372-124-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2372-126-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2288-144-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2288-147-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/872-165-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/872-168-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2596-185-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2596-189-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2664-206-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2664-209-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2528-226-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2528-229-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2000-247-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2000-250-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2452-267-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2452-271-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2932-288-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2932-290-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2140-308-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2140-311-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2344-329-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2344-331-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1172-349-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1172-353-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/740-370-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/740-373-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2140-390-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2140-394-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1372-411-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1372-413-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/864-431-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/864-434-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1804-452-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1804-455-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1500-472-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1500-476-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2040-493-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 b3e2a30bef080edf2ab21c1bd6673af7
SHA1 aa7a37868bf0bf666481b937cded6cc3ed4bd65f
SHA256 80bd682d91cc5932997b7e4c4e814027b4ce6e9b5c1c59c15bfe5b7f7c317fd2
SHA512 6b250e8902816e615073249d3d6d9c5df5031a7c9017da4d982c3f2e7d47df4d3844b07c25a186f3dd1bf2d6bc51204142dbf1aca9729508871cb8e3bc29c51f

memory/2524-515-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 35aca553ece480819366fcdfa2bf6523
SHA1 8aa51795d3fdec4d10ca8cabfb77a296b027b02d
SHA256 8a408f9cd428ca18917458af26089f175678744b94e2f9dec7cf0114a635a768
SHA512 cad7994004f632aed7777875d54b68f49f6ff87a303d02eeab797a083596cac24ac3729802aecf7b4d8165e49b9b2f2224465266480d16be3b0b8433e1fd073f

memory/2040-498-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2524-517-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2068-533-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2068-536-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3152-552-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3152-555-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3348-571-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3348-574-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3544-590-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3544-593-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3740-609-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3740-612-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3932-628-0x0000000000C80000-0x0000000000C95000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 22:05

Reported

2024-01-29 22:08

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart" C:\Windows\downswae\saaa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\downswae\saaa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe" C:\Windows\downswae\saaa.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1884 set thread context of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 2932 set thread context of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1908 set thread context of 3144 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2904 set thread context of 2168 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4464 set thread context of 2352 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4376 set thread context of 4840 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4228 set thread context of 4240 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2784 set thread context of 3928 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3316 set thread context of 3196 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 5016 set thread context of 3076 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2832 set thread context of 4156 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3992 set thread context of 928 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1100 set thread context of 540 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1248 set thread context of 2752 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 852 set thread context of 4000 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4716 set thread context of 2432 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 680 set thread context of 4992 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 720 set thread context of 1740 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 968 set thread context of 1240 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4248 set thread context of 2532 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2448 set thread context of 2792 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1316 set thread context of 728 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 4172 set thread context of 2584 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3192 set thread context of 4560 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1864 set thread context of 4404 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1780 set thread context of 2112 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3904 set thread context of 1316 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1880 set thread context of 1696 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3988 set thread context of 5164 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\downswae\saaa.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
File created C:\Windows\downswae\saaa.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A
N/A N/A C:\Windows\downswae\saaa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe
PID 1632 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1632 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1632 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 1632 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe C:\Windows\downswae\saaa.exe
PID 2932 wrote to memory of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2932 wrote to memory of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2932 wrote to memory of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2932 wrote to memory of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 2932 wrote to memory of 3428 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3428 wrote to memory of 1828 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1828 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1828 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1700 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1700 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1700 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3096 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3096 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3096 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1576 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1576 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1576 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3908 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3908 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3908 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3036 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3036 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3036 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 948 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 948 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 948 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3556 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 3556 N/A C:\Windows\downswae\saaa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3428 wrote to memory of 1908 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3428 wrote to memory of 1908 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 3428 wrote to memory of 1908 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1908 wrote to memory of 3144 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe
PID 1908 wrote to memory of 3144 N/A C:\Windows\downswae\saaa.exe C:\Windows\downswae\saaa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe

"C:\Users\Admin\AppData\Local\Temp\80fae472f8dc5bcee4ed2191088a18c7.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Windows\downswae\saaa.exe

"C:\Windows\downswae\saaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut702F.tmp

MD5 8051053e3d903fbb35073cfe640a75e9
SHA1 e9c9c68de3155f94fff20a0fc1ecf3479c96239e
SHA256 c31522f6755d2e5d161e2c9ae6f4f705c85ac301ae5da3b7d64e5e36f31305fc
SHA512 9198e7dbea9e722a74755c09e13e7fad01fb0431494a5049210388baee6e4c3ae3ce5048baca85199ca908cc454f5c7c91081684a99bcc637ec0ce077299caeb

memory/1632-7-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1632-11-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1632-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1632-13-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 80fae472f8dc5bcee4ed2191088a18c7
SHA1 c642feadabeef69b0b767ad6fa62dfcac323d835
SHA256 9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63
SHA512 8f0cc461be72ac418ab2788913c89ed57e5fa5322fefd6cda0934e95fd24f9cb826f082791f3254f890c46ad969b9ad9edac210b3fb8ffb13fed38eab7ee6199

memory/1632-27-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3428-40-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3428-41-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3428-42-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 135b08bad59f12918f90ce3e59c5ad9a
SHA1 75ccf34aa643b63b48629bfd3c507e96c9f6019f
SHA256 75c7341da8f0235c3fd45140c5b38f3892162f3759ab42c1112c8956e8d8bacb
SHA512 2e01b60fc1272388763e54f62e6efa1d3758fe4dce3017b90b64b751aa277473aa4a0315ae1dd449c8f598b9889a3e9c9f5f93ad58f145ba0721a8880f1121a5

memory/3428-47-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3144-62-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3144-67-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2168-80-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2168-81-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2168-82-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2168-87-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2352-100-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2352-101-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2352-102-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2352-107-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4840-122-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4840-127-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4240-142-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4240-147-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3928-162-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3928-167-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3196-182-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3196-187-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3076-202-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3076-207-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4156-220-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4156-221-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4156-222-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4156-227-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/928-240-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/928-242-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/928-247-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/540-262-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/540-267-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2752-282-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2752-287-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4000-302-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4000-307-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2432-322-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2432-327-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4992-342-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4992-347-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1740-362-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1740-367-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1240-382-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1240-387-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2532-402-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 6b1bf1fe20433f638f09a359d4a91e68
SHA1 a5e46c50ac900dc34199daaa982f9b76e9a57df7
SHA256 a51c44619c567b08063f354ede029ab2f8d165a00f0d57bba5e3692ceba7e9e9
SHA512 075db52226bf7cb0bc69b350c50de8b4f75f8e7a8bb4f36c5259b2af41ce03620edfa05946f90e5f2f0443afe45924c363f0c12861650105ae7ee6e5c56f3f3c

memory/2792-422-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 e714cc20ad3248cb6ed8516ebce4e438
SHA1 eb36e0ca23a21d73bebeb2b4457df9c2395d61d2
SHA256 95b1f6364840c9f70e75368888134a8f0ead1159dcffa7ca002400e4cf947285
SHA512 820e42acfe21a2c79153e2b548183bbf3c9493ed7c4423e993cf62f808fc35e40bdf53b82860fd504e25c33d6ff02b5362a4532364fa3f6182244550aa56a6ea

memory/2532-407-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2792-427-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/728-442-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\downswae\saaa.exe

MD5 ddb98c3d47dbb7d31a87893757b4654d
SHA1 48539451584524064b3f7d410fbc048d1f5f67a9
SHA256 decaa3a7d6d96c938d4975cc7a4cb11b0e7deb2ff63e3eba82b72c2ca2e10bd5
SHA512 433e9f2e7e54062c544fea4a4d7a054854c666cc391230cdfd5c9f5de993a9637ac22d9ebd161fdc0e6052b77957277539ffe09dd8da2f60c983feb24055a122

C:\Windows\downswae\saaa.exe

MD5 3bc09fcd7f92f911b61401e49cb3c95f
SHA1 25edb0cca2202aa9cf0ddee11a81ab7e46cb2ec4
SHA256 82049b63780113eb0513d7385b5de86f1d6b7c6da58936944f3cb10ee6818d54
SHA512 01fd113c333ab8b9573ac65b64b7d32763ecb7b20b3280331dc445243d3248bff3e29f2c65ab95928af8fddc5f13ee6cd7b9c843d7dbd7c16edaeb36d3fa5cb4

memory/728-446-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2584-460-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2584-463-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4560-477-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4560-480-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4404-494-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4404-497-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2112-511-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2112-514-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1316-528-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1316-531-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1696-545-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1696-548-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5164-562-0x0000000000C80000-0x0000000000C95000-memory.dmp