Malware Analysis Report

2024-11-13 18:40

Sample ID 240711-n9218sxhpf
Target 390b8873a046cec6e1219c9ccc776c37_JaffaCakes118
SHA256 769f829c86b87b62400f9ad37ffc6b8983947dcbe41ab9330b1d516d835d78d7
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

769f829c86b87b62400f9ad37ffc6b8983947dcbe41ab9330b1d516d835d78d7

Threat Level: Known bad

The file 390b8873a046cec6e1219c9ccc776c37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 12:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 12:06

Reported

2024-07-11 12:09

Platform

win7-20240705-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2116 set thread context of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2332 set thread context of 2572 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 1628 set thread context of 2348 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2040 set thread context of 944 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2132 set thread context of 2616 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 908 set thread context of 2432 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 1028 set thread context of 2260 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1056 set thread context of 1872 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2308 set thread context of 2160 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2332 set thread context of 3044 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 352 set thread context of 568 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1232 set thread context of 1636 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2396 set thread context of 2412 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 276 set thread context of 2044 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2696 set thread context of 2468 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 352 set thread context of 1552 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2616 set thread context of 380 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 868 set thread context of 2448 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2252 set thread context of 2044 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2108 set thread context of 576 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 564 set thread context of 2412 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1968 set thread context of 2204 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 1580 set thread context of 3008 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 564 set thread context of 2228 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 396 set thread context of 3096 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3224 set thread context of 3252 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3376 set thread context of 3408 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3540 set thread context of 3568 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3696 set thread context of 3728 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3864 set thread context of 3892 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 4016 set thread context of 4048 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2492 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2272 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2272 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2272 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2272 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2116 wrote to memory of 2860 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2860 wrote to memory of 2852 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2852 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2852 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

Network

N/A

Files

memory/2272-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2272-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2272-5-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2272-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

\Windows\SysWOW64\InstallDir\Server.exe

MD5 390b8873a046cec6e1219c9ccc776c37
SHA1 00c24b86068d3f118445e6c952d26cc72d348434
SHA256 769f829c86b87b62400f9ad37ffc6b8983947dcbe41ab9330b1d516d835d78d7
SHA512 ade807da7f509528079791120439dd0a766cb22c6264f8a45b9bfc398b3d9fadaf04d14ff4786579226879c0b45aad0caae7b5f2597232e8d6aaa4449e51024a

memory/2272-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2860-28-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 4b6bac988b0630101af6f1e1ef06b791
SHA1 786d6ac7401711cd4624daabb30c7f74479e4d9b
SHA256 fabbda42e35fc50437df9eec12061c839da1fecc3b286acc6b395aadfc0d57c0
SHA512 f5fe00005970e9f42c63fff8a897e01609aa04d4901d03f66f559c8e58396a9b4faa8fb63b4be0093594dfb3edbada88aba00de9e12d6d8271007aa518cddaec

memory/2860-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2572-48-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2572-59-0x0000000000C80000-0x0000000000C95000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 12:06

Reported

2024-07-11 12:09

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 3996 set thread context of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1488 set thread context of 2084 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3952 set thread context of 816 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 5008 set thread context of 2796 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3272 set thread context of 2532 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 5084 set thread context of 3948 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3784 set thread context of 1468 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3076 set thread context of 3684 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2320 set thread context of 464 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4784 set thread context of 5008 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 4796 set thread context of 4644 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3672 set thread context of 3264 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3644 set thread context of 4332 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2640 set thread context of 5044 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2328 set thread context of 5056 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4468 set thread context of 876 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2204 set thread context of 4176 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4352 set thread context of 4844 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2736 set thread context of 348 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2592 set thread context of 4984 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 4420 set thread context of 5056 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2140 set thread context of 4080 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 4748 set thread context of 3288 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 232 set thread context of 3128 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 4880 set thread context of 3584 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 972 set thread context of 2464 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 2584 set thread context of 1108 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1340 set thread context of 5092 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
PID 3980 set thread context of 4468 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4696 set thread context of 4008 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 2724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe
PID 4656 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4656 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 4656 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 3996 wrote to memory of 1676 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 1676 wrote to memory of 1848 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1848 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1848 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5052 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5052 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5052 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4128 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4128 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4128 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1068 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1068 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 1068 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 2348 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 2348 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 2348 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 820 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 820 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 820 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4812 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4812 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4812 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4744 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\390b8873a046cec6e1219c9ccc776c37_JaffaCakes118.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4656-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4656-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4656-5-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4656-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Server.exe

MD5 390b8873a046cec6e1219c9ccc776c37
SHA1 00c24b86068d3f118445e6c952d26cc72d348434
SHA256 769f829c86b87b62400f9ad37ffc6b8983947dcbe41ab9330b1d516d835d78d7
SHA512 ade807da7f509528079791120439dd0a766cb22c6264f8a45b9bfc398b3d9fadaf04d14ff4786579226879c0b45aad0caae7b5f2597232e8d6aaa4449e51024a

memory/4656-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1676-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1676-24-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1676-25-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 4b6bac988b0630101af6f1e1ef06b791
SHA1 786d6ac7401711cd4624daabb30c7f74479e4d9b
SHA256 fabbda42e35fc50437df9eec12061c839da1fecc3b286acc6b395aadfc0d57c0
SHA512 f5fe00005970e9f42c63fff8a897e01609aa04d4901d03f66f559c8e58396a9b4faa8fb63b4be0093594dfb3edbada88aba00de9e12d6d8271007aa518cddaec

memory/1676-37-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2084-42-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2084-43-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/816-59-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/816-60-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2796-77-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2796-78-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2532-95-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2532-96-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3948-113-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3948-114-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/464-167-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/464-168-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5008-186-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5008-185-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3264-221-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3264-222-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5044-258-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5044-257-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/348-337-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/348-338-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4984-351-0x0000000000C80000-0x0000000000C95000-memory.dmp