Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 12:22

General

  • Target

    575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe

  • Size

    636KB

  • MD5

    575be827aaf815b042eeb2f26256aa36

  • SHA1

    0fbaac8c23c753087600ebb60d88156c0e879cf4

  • SHA256

    7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7

  • SHA512

    28a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52

  • SSDEEP

    12288:LcR/C44VLG/8zwfVHQ8/teJhIDu8mHI8NMgzHQo:Lm/P4RG/8ziwGeJhC9S

Malware Config

Extracted

Family

xtremerat

C2

tr3x.tzo.cc

Signatures

  • Detect XtremeRAT payload 22 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 56 IoCs
  • Adds Run key to start application 2 TTPs 60 IoCs
  • Suspicious use of SetThreadContext 29 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Program Files (x86)\InstallDir\tr3x.exe
          "C:\Program Files (x86)\InstallDir\tr3x.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Program Files (x86)\InstallDir\tr3x.exe
            "C:\Program Files (x86)\InstallDir\tr3x.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:4120
          • C:\Program Files (x86)\InstallDir\tr3x.exe
            "C:\Program Files (x86)\InstallDir\tr3x.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3892
            • C:\Program Files (x86)\InstallDir\tr3x.exe
              "C:\Program Files (x86)\InstallDir\tr3x.exe"
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:4828
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                  PID:4348
            • C:\Program Files (x86)\InstallDir\tr3x.exe
              "C:\Program Files (x86)\InstallDir\tr3x.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:3948
              • C:\Program Files (x86)\InstallDir\tr3x.exe
                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                5⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Adds Run key to start application
                PID:2952
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  6⤵
                    PID:1744
              • C:\Program Files (x86)\InstallDir\tr3x.exe
                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:4952
                • C:\Program Files (x86)\InstallDir\tr3x.exe
                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                  5⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Adds Run key to start application
                  PID:2940
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    6⤵
                      PID:4928
                • C:\Program Files (x86)\InstallDir\tr3x.exe
                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:2232
                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                    5⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:3896
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      6⤵
                        PID:2880
                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of SetWindowsHookEx
                    PID:4856
                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                      5⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Adds Run key to start application
                      PID:1316
                      • C:\Windows\SysWOW64\svchost.exe
                        svchost.exe
                        6⤵
                          PID:3548
                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:5092
                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                        5⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Adds Run key to start application
                        PID:2192
                        • C:\Windows\SysWOW64\svchost.exe
                          svchost.exe
                          6⤵
                            PID:3392
                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious use of SetWindowsHookEx
                        PID:1328
                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                          5⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Adds Run key to start application
                          PID:4888
                          • C:\Windows\SysWOW64\svchost.exe
                            svchost.exe
                            6⤵
                              PID:3352
                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of SetWindowsHookEx
                          PID:5096
                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                            5⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:1376
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              6⤵
                                PID:3948
                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                            4⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of SetWindowsHookEx
                            PID:224
                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                              5⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Executes dropped EXE
                              • Adds Run key to start application
                              PID:2460
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe
                                6⤵
                                  PID:4220
                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                              4⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of SetWindowsHookEx
                              PID:2008
                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                5⤵
                                • Boot or Logon Autostart Execution: Active Setup
                                • Executes dropped EXE
                                • Adds Run key to start application
                                PID:1832
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe
                                  6⤵
                                    PID:1240
                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Suspicious use of SetWindowsHookEx
                                PID:5080
                                • C:\Program Files (x86)\InstallDir\tr3x.exe
                                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                  5⤵
                                  • Boot or Logon Autostart Execution: Active Setup
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  PID:4216
                                  • C:\Windows\SysWOW64\svchost.exe
                                    svchost.exe
                                    6⤵
                                      PID:1752
                                • C:\Program Files (x86)\InstallDir\tr3x.exe
                                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3100
                                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                    5⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    PID:3340
                                    • C:\Windows\SysWOW64\svchost.exe
                                      svchost.exe
                                      6⤵
                                        PID:2376
                                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3804
                                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                      5⤵
                                      • Boot or Logon Autostart Execution: Active Setup
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:2632
                                      • C:\Windows\SysWOW64\svchost.exe
                                        svchost.exe
                                        6⤵
                                          PID:668
                                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3964
                                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                        5⤵
                                        • Boot or Logon Autostart Execution: Active Setup
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        PID:1952
                                        • C:\Windows\SysWOW64\svchost.exe
                                          svchost.exe
                                          6⤵
                                            PID:2860
                                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                        4⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1888
                                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                          5⤵
                                          • Boot or Logon Autostart Execution: Active Setup
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          PID:4564
                                          • C:\Windows\SysWOW64\svchost.exe
                                            svchost.exe
                                            6⤵
                                              PID:4784
                                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2668
                                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                            5⤵
                                            • Boot or Logon Autostart Execution: Active Setup
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            PID:3892
                                            • C:\Windows\SysWOW64\svchost.exe
                                              svchost.exe
                                              6⤵
                                                PID:3352
                                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4072
                                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                              5⤵
                                              • Boot or Logon Autostart Execution: Active Setup
                                              • Executes dropped EXE
                                              • Adds Run key to start application
                                              PID:5096
                                              • C:\Windows\SysWOW64\svchost.exe
                                                svchost.exe
                                                6⤵
                                                  PID:2732
                                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3448
                                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                5⤵
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                PID:2260
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  svchost.exe
                                                  6⤵
                                                    PID:2248
                                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                4⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2992
                                                • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                  5⤵
                                                  • Boot or Logon Autostart Execution: Active Setup
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  PID:2776
                                                  • C:\Windows\SysWOW64\svchost.exe
                                                    svchost.exe
                                                    6⤵
                                                      PID:3272
                                                • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3004
                                                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                    5⤵
                                                    • Boot or Logon Autostart Execution: Active Setup
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    PID:4712
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      svchost.exe
                                                      6⤵
                                                        PID:1316
                                                  • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                    "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4636
                                                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                      5⤵
                                                      • Boot or Logon Autostart Execution: Active Setup
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      PID:3804
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        svchost.exe
                                                        6⤵
                                                          PID:4504
                                                    • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                      "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1552
                                                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                        5⤵
                                                        • Boot or Logon Autostart Execution: Active Setup
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:4564
                                                        • C:\Windows\SysWOW64\svchost.exe
                                                          svchost.exe
                                                          6⤵
                                                            PID:2936
                                                      • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                        "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1696
                                                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                          5⤵
                                                          • Boot or Logon Autostart Execution: Active Setup
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          PID:4888
                                                          • C:\Windows\SysWOW64\svchost.exe
                                                            svchost.exe
                                                            6⤵
                                                              PID:644
                                                        • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                          "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:344
                                                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                            5⤵
                                                            • Boot or Logon Autostart Execution: Active Setup
                                                            • Executes dropped EXE
                                                            • Adds Run key to start application
                                                            PID:4064
                                                            • C:\Windows\SysWOW64\svchost.exe
                                                              svchost.exe
                                                              6⤵
                                                                PID:2628
                                                          • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                            "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2224
                                                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                              5⤵
                                                              • Boot or Logon Autostart Execution: Active Setup
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              PID:2248
                                                              • C:\Windows\SysWOW64\svchost.exe
                                                                svchost.exe
                                                                6⤵
                                                                  PID:940
                                                            • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                              "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2292
                                                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                                5⤵
                                                                • Boot or Logon Autostart Execution: Active Setup
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                PID:2776
                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                  svchost.exe
                                                                  6⤵
                                                                    PID:3480
                                                              • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                                "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:2112
                                                                • C:\Program Files (x86)\InstallDir\tr3x.exe
                                                                  "C:\Program Files (x86)\InstallDir\tr3x.exe"
                                                                  5⤵
                                                                  • Boot or Logon Autostart Execution: Active Setup
                                                                  • Executes dropped EXE
                                                                  • Adds Run key to start application
                                                                  PID:4036
                                                                  • C:\Windows\SysWOW64\svchost.exe
                                                                    svchost.exe
                                                                    6⤵
                                                                      PID:4928
                                                              • C:\Windows\SysWOW64\svchost.exe
                                                                svchost.exe
                                                                3⤵
                                                                  PID:1476

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Program Files (x86)\InstallDir\tr3x.exe

                                                              Filesize

                                                              636KB

                                                              MD5

                                                              575be827aaf815b042eeb2f26256aa36

                                                              SHA1

                                                              0fbaac8c23c753087600ebb60d88156c0e879cf4

                                                              SHA256

                                                              7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7

                                                              SHA512

                                                              28a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              67b9ff6cf1683ec9b451c1d928b18f61

                                                              SHA1

                                                              2c54b6f9723228610e03ac1103d7f11294640e82

                                                              SHA256

                                                              2219b80ad57c2a072336f7d0ac0c06a30cbf2a35e953b277f53802ca31c80628

                                                              SHA512

                                                              e75b7e0ce8b51c19cf035adb2a28a730d8c8d81994afcb27f4815a09e83c779da6a468bc412f700540df229b7fc64ddaf7ef27df1492c0f1038466095dbbe7ca

                                                            • memory/668-166-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/1240-133-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/1476-11-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/1744-45-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/1752-144-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2192-12-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2192-2-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2192-5-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2192-3-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2192-4-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2376-155-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2880-67-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/3352-100-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/3392-89-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/3548-78-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/3932-9-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/3948-111-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/4120-23-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/4220-122-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/4348-34-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/4524-19-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/4928-56-0x0000000013140000-0x000000001315C000-memory.dmp

                                                              Filesize

                                                              112KB