Malware Analysis Report

2024-12-07 21:32

Sample ID 240716-s7dyvazbpl
Target 4efd834d2514f0f58b7040266d2dc128_JaffaCakes118
SHA256 5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462

Threat Level: Known bad

The file 4efd834d2514f0f58b7040266d2dc128_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

XtremeRAT

Detect XtremeRAT payload

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 15:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 15:45

Reported

2024-07-16 15:48

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3336 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 1640 set thread context of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 4008 set thread context of 1796 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2600 set thread context of 4720 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1600 set thread context of 3772 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3008 set thread context of 4580 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1776 set thread context of 1628 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3256 set thread context of 3704 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2252 set thread context of 404 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 4488 set thread context of 3572 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3780 set thread context of 1900 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 4824 set thread context of 2492 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2968 set thread context of 628 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2332 set thread context of 1636 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3792 set thread context of 3436 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1664 set thread context of 3228 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 5112 set thread context of 1292 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1160 set thread context of 628 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 688 set thread context of 2316 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3304 set thread context of 3256 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2500 set thread context of 2776 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 748 set thread context of 3040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1952 set thread context of 1108 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 376 set thread context of 748 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3008 set thread context of 4984 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2340 set thread context of 3720 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2768 set thread context of 4700 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 5168 set thread context of 5196 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 5368 set thread context of 5396 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 5776 set thread context of 5804 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 5980 set thread context of 6008 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 3336 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2336 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2336 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2336 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2336 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1640 wrote to memory of 4140 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 4140 wrote to memory of 2172 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2172 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2172 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2932 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2932 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2932 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2496 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2496 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 2496 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 4840 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 4840 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4140 wrote to memory of 4840 N/A C:\Windows\InstallDir\Server.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 161.114.50.184.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2336-2-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2336-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2336-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2336-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 4efd834d2514f0f58b7040266d2dc128
SHA1 e7dcaabdcb2a16c675a29ca9dd68350b9169947a
SHA256 5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462
SHA512 5a7671e9d45422173fd902082caeadd1bf610bfa474c97c2b31b1363be79838cd94f45271abb17e5464d7825bc01e682fe89ee2e4e281595229e53d9310e0617

memory/2336-19-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4140-25-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4140-26-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 a120bf784ca1cc8ff380066aa1082177
SHA1 1ecb849bf45e5974cff7e466c47fae29047791ac
SHA256 f228aa3681903f65eef5ae66fc8541d121b23dd93d705bab8f0e05a64c07603c
SHA512 412a2a618659bb1cb17acdb00565d32ce00ef75dd6f124805b70ea9a4f37dc8bf2371d3900099186a2c2ba0feb2a560f679d71de3743feb0c6bd3628a69bf949

memory/4140-41-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1796-46-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4720-65-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1628-125-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3704-145-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2316-359-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5804-535-0x0000000000C80000-0x0000000000C93000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 15:45

Reported

2024-07-16 15:48

Platform

win7-20240708-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
N/A N/A C:\Windows\InstallDir\Server.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2692 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2796 set thread context of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2016 set thread context of 2656 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2984 set thread context of 2200 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2436 set thread context of 1920 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1152 set thread context of 2704 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2952 set thread context of 1348 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1544 set thread context of 2460 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2060 set thread context of 1508 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2548 set thread context of 2004 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2608 set thread context of 2660 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1352 set thread context of 2848 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2312 set thread context of 1920 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2380 set thread context of 292 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 1984 set thread context of 1788 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2820 set thread context of 2176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 632 set thread context of 2136 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2244 set thread context of 2044 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2460 set thread context of 3020 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 2548 set thread context of 2652 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 824 set thread context of 996 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 1612 set thread context of 1392 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2256 set thread context of 1624 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3064 set thread context of 2492 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3064 set thread context of 328 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3104 set thread context of 3132 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3260 set thread context of 3288 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3416 set thread context of 3444 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3572 set thread context of 3600 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE
PID 3724 set thread context of 3752 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 3876 set thread context of 3904 N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File created C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE
PID 2004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2004 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE C:\Windows\InstallDir\Server.exe
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE
PID 2796 wrote to memory of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE

"C:\Users\Admin\AppData\Local\Temp\4efd834d2514f0f58b7040266d2dc128_JaffaCakes118.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.EXE

"C:\Windows\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/2004-2-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2004-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2004-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2004-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

\Windows\InstallDir\Server.exe

MD5 4efd834d2514f0f58b7040266d2dc128
SHA1 e7dcaabdcb2a16c675a29ca9dd68350b9169947a
SHA256 5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462
SHA512 5a7671e9d45422173fd902082caeadd1bf610bfa474c97c2b31b1363be79838cd94f45271abb17e5464d7825bc01e682fe89ee2e4e281595229e53d9310e0617

memory/2004-16-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2304-26-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 a120bf784ca1cc8ff380066aa1082177
SHA1 1ecb849bf45e5974cff7e466c47fae29047791ac
SHA256 f228aa3681903f65eef5ae66fc8541d121b23dd93d705bab8f0e05a64c07603c
SHA512 412a2a618659bb1cb17acdb00565d32ce00ef75dd6f124805b70ea9a4f37dc8bf2371d3900099186a2c2ba0feb2a560f679d71de3743feb0c6bd3628a69bf949

memory/2304-36-0x0000000000C80000-0x0000000000C93000-memory.dmp