Malware Analysis Report

2024-11-13 18:40

Sample ID 240712-d2pe3awhrk
Target 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118
SHA256 13bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b

Threat Level: Known bad

The file 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Molebox Virtualization software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 03:30

Signatures

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 03:30

Reported

2024-07-12 03:32

Platform

win7-20240704-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" C:\Windows\SysWOW64\Install12\System.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Windows\SysWOW64\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" C:\Windows\SysWOW64\Install12\System.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Roaming\Install12\System.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\Install12\System.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\Install12\System.exe
PID 2540 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\Install12\System.exe
PID 2540 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\Install12\System.exe
PID 2540 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\Install12\System.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe
PID 2700 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Install12\System.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Install12\System.exe

"C:\Users\Admin\AppData\Roaming\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\Install12\System.exe

"C:\Windows\system32\Install12\System.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

N/A

Files

memory/2540-0-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2540-6-0x0000000075881000-0x0000000075882000-memory.dmp

memory/2540-5-0x00000000777C0000-0x00000000777C1000-memory.dmp

memory/2540-4-0x0000000000AF0000-0x0000000000B00000-memory.dmp

memory/2540-3-0x0000000000900000-0x0000000000910000-memory.dmp

memory/2540-2-0x0000000000270000-0x00000000002AD000-memory.dmp

memory/2540-1-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2540-7-0x0000000075870000-0x0000000075980000-memory.dmp

memory/1212-12-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1212-13-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1736-17-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2692-21-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2212-25-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2860-29-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2724-33-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2792-37-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2888-41-0x0000000000C80000-0x0000000000CA1000-memory.dmp

\Windows\SysWOW64\Install12\System.exe

MD5 3bd77d78bd8637e06ed6356abfa9d196
SHA1 eff1a7b64280ae0a312669c8fd40c0d77dcb9216
SHA256 13bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b
SHA512 d7febc858fdf0b697623db6436ba907992c09fdce415d5a0175eb44df8127a54a984af116d9f972f82d3dab04de1e7f7b06e21712968e08179d77b40cd43e26f

memory/2700-55-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2540-53-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2540-51-0x0000000000270000-0x00000000002AD000-memory.dmp

memory/2540-50-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2700-57-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2700-56-0x0000000075870000-0x0000000075980000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MLG2PGtmC.cfg

MD5 72a5ebc90e1ed885685b92fcb655c834
SHA1 8b2657a5c5f003daef6f1f0f09f258f8c379e852
SHA256 2de18ee84327e8591745134989a3dfafdeec78e8fa07cff9dc01faba4093a701
SHA512 897c0551a8b11cfb54009e5191b25a9b7fee217b1cb96d617b21f12fee4b4ee84b068be702a6dde558d34c997a962f266c1338024e0ca4b1cf0fb95b5dd465a9

memory/2664-62-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3024-66-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2240-70-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1276-74-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/480-78-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/864-82-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2504-86-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2700-102-0x0000000075870000-0x0000000075980000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 03:30

Reported

2024-07-12 03:33

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe restart" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A

Molebox Virtualization software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Install12\System.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
PID 912 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
PID 912 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
PID 936 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 936 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 3564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3564 -ip 3564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 220

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 220

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 228

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2848 -ip 2848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2848 -ip 2848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 852 -ip 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 852 -ip 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2124 -ip 2124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2124 -ip 2124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 84

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2080 -ip 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2080 -ip 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 84

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1972 -ip 1972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 1972 -ip 1972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 192

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 220

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 676 -ip 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 676 -ip 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 208

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 2348 -ip 2348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2348 -ip 2348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 472 -ip 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 472 -ip 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 212

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3108 -ip 3108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3108 -ip 3108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2160 -ip 2160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2160 -ip 2160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3444 -ip 3444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3444 -ip 3444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 84

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 228

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 232

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 momo44.no-ip.biz udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/912-0-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/912-1-0x0000000000B70000-0x0000000000BAD000-memory.dmp

memory/912-2-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/912-5-0x0000000000C30000-0x0000000000C40000-memory.dmp

memory/912-7-0x00000000777F0000-0x00000000777F1000-memory.dmp

memory/912-6-0x0000000002460000-0x0000000002470000-memory.dmp

memory/912-4-0x0000000077BA2000-0x0000000077BA3000-memory.dmp

memory/912-3-0x0000000000BF0000-0x0000000000C00000-memory.dmp

memory/912-8-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/912-9-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/912-11-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/912-10-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3152-14-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3152-16-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3152-17-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3564-18-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3564-19-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3564-21-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3972-22-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3972-23-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/3972-25-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/372-26-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/372-27-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/372-29-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/2600-30-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2600-31-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/2600-33-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/4268-34-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4268-35-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/4268-37-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/4128-38-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4128-39-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/4128-41-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/4140-42-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4140-44-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/912-43-0x0000000000B70000-0x0000000000BAD000-memory.dmp

memory/4140-46-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/912-47-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/912-50-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-58-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-57-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-63-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-62-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-61-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-60-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-59-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-56-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-55-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-54-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-53-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-52-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-51-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-49-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/912-48-0x0000000000B70000-0x0000000000BAD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MLG2PGtmC.cfg

MD5 72a5ebc90e1ed885685b92fcb655c834
SHA1 8b2657a5c5f003daef6f1f0f09f258f8c379e852
SHA256 2de18ee84327e8591745134989a3dfafdeec78e8fa07cff9dc01faba4093a701
SHA512 897c0551a8b11cfb54009e5191b25a9b7fee217b1cb96d617b21f12fee4b4ee84b068be702a6dde558d34c997a962f266c1338024e0ca4b1cf0fb95b5dd465a9

memory/3904-67-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2196-69-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4604-71-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4488-73-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4828-75-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1008-77-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2364-79-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/936-81-0x00000000777D0000-0x00000000778C0000-memory.dmp

memory/936-80-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2084-85-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2928-87-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2848-89-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2540-91-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/64-93-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3516-95-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2908-97-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/3832-100-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2364-99-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/2496-104-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/860-106-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4140-108-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1680-110-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4108-112-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/1408-114-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/4468-116-0x0000000000C80000-0x0000000000CA1000-memory.dmp

memory/852-118-0x0000000000C80000-0x0000000000CA1000-memory.dmp