Malware Analysis Report

2024-12-07 22:03

Sample ID 240715-vvq4rateld
Target 4aa5340a1691856244f4af96566828d4_JaffaCakes118
SHA256 7993a2df3a0ef5e8b361614b91634c1bcc9e6c302c80ab0f6e73b7d3f3a09032
Tags
upx xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7993a2df3a0ef5e8b361614b91634c1bcc9e6c302c80ab0f6e73b7d3f3a09032

Threat Level: Known bad

The file 4aa5340a1691856244f4af96566828d4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx xtremerat persistence rat spyware

Detect XtremeRAT payload

Xtremerat family

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 17:18

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 17:18

Reported

2024-07-15 17:21

Platform

win7-20240704-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2072 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2072 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2072 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2072 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2072 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 2072 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 2072 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 2072 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2028 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2028 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2028 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2028 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2028 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2820 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2820 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2820 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2820 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2820 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2692 wrote to memory of 2560 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/2072-0-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2292-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2292-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2072-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Win32.exe

MD5 4aa5340a1691856244f4af96566828d4
SHA1 931b2f34f0e8ffbda403c2b7344295d72d2ef3c5
SHA256 7993a2df3a0ef5e8b361614b91634c1bcc9e6c302c80ab0f6e73b7d3f3a09032
SHA512 15c3728887266be8ee63501918410cda5e0e557a0d86f02c0eb380b58a067cdf18f884fd1783932dc20648529118c2332822a280c21ede4f888b8ccdd95b8d09

memory/2072-10-0x00000000026F0000-0x0000000002705000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 747f5c447eb9a56586f74e0f92f660ee
SHA1 aa19b87c5da9c6bad092b79020fb5d91d6d6ed99
SHA256 403acf9d0a186492bc2432b136f2860f497897241b1a245226fdfabb9b3bba22
SHA512 e95ff8698c8ee6954d383ff5143446c55094c67e78f4aaadcec2b39b71dcde1e67dc2f8839f3c3d0b25b5af48064a0b37cb73403478eaf73c063bf36f48dab8f

memory/2028-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2568-35-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2692-33-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2520-42-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2568-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 17:18

Reported

2024-07-15 17:21

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe restart" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Win32.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Win32.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Win32.exe" C:\Windows\SysWOW64\InstallDir\Win32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\InstallDir\Win32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4480 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4480 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4480 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 4480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 4480 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Win32.exe
PID 2852 wrote to memory of 4712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 2944 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2852 wrote to memory of 2944 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2852 wrote to memory of 2944 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2852 wrote to memory of 4712 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4556 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4556 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4556 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1160 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1160 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1160 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4068 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4068 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 4068 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1516 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1516 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1516 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 3036 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 3036 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 3036 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1684 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1684 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 1684 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 3452 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 3452 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2852 wrote to memory of 2748 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe
PID 2852 wrote to memory of 2748 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe
PID 2852 wrote to memory of 2748 N/A C:\Windows\SysWOW64\InstallDir\Win32.exe C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe
PID 2748 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2748 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2748 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2748 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2748 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Windows\SysWOW64\explorer.exe
PID 2748 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4aa5340a1691856244f4af96566828d4_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\InstallDir\Win32.exe

"C:\Windows\system32\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Win32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4480-0-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Win32.exe

MD5 4aa5340a1691856244f4af96566828d4
SHA1 931b2f34f0e8ffbda403c2b7344295d72d2ef3c5
SHA256 7993a2df3a0ef5e8b361614b91634c1bcc9e6c302c80ab0f6e73b7d3f3a09032
SHA512 15c3728887266be8ee63501918410cda5e0e557a0d86f02c0eb380b58a067cdf18f884fd1783932dc20648529118c2332822a280c21ede4f888b8ccdd95b8d09

memory/4480-11-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2852-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 747f5c447eb9a56586f74e0f92f660ee
SHA1 aa19b87c5da9c6bad092b79020fb5d91d6d6ed99
SHA256 403acf9d0a186492bc2432b136f2860f497897241b1a245226fdfabb9b3bba22
SHA512 e95ff8698c8ee6954d383ff5143446c55094c67e78f4aaadcec2b39b71dcde1e67dc2f8839f3c3d0b25b5af48064a0b37cb73403478eaf73c063bf36f48dab8f

memory/2852-25-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2748-26-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2748-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1192-51-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3596-64-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/948-77-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3048-90-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3256-91-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3256-104-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3972-117-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4480-118-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3972-131-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3336-144-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2008-156-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/728-158-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2008-171-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1260-172-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/1260-185-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2452-198-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2492-199-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2492-211-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4420-212-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4728-224-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4420-226-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4728-239-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4480-252-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4588-253-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4588-266-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2248-267-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2248-280-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/4420-293-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/680-303-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2840-313-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/8-314-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/8-323-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2980-324-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2980-334-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/3844-344-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5140-354-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5392-355-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5392-365-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/5604-375-0x0000000000C80000-0x0000000000C95000-memory.dmp