Malware Analysis Report

2025-01-02 02:47

Sample ID 240718-pj17pa1fqa
Target 575be827aaf815b042eeb2f26256aa36_JaffaCakes118
SHA256 7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7

Threat Level: Known bad

The file 575be827aaf815b042eeb2f26256aa36_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 12:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 12:22

Reported

2024-07-18 12:24

Platform

win7-20240705-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\InstallDir\tr3x.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\InstallDir\tr3x.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 1968 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tr3x.tzo.cc udp
US 76.223.54.146:81 tr3x.tzo.cc tcp
US 13.248.169.48:81 tr3x.tzo.cc tcp
US 76.223.54.146:81 tr3x.tzo.cc tcp
US 13.248.169.48:81 tr3x.tzo.cc tcp
US 76.223.54.146:81 tr3x.tzo.cc tcp
US 13.248.169.48:81 tr3x.tzo.cc tcp
US 76.223.54.146:81 tr3x.tzo.cc tcp

Files

memory/1968-2-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1968-4-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1968-3-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1968-5-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2444-11-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2444-10-0x0000000013140000-0x000000001315C000-memory.dmp

C:\Program Files (x86)\InstallDir\tr3x.exe

MD5 575be827aaf815b042eeb2f26256aa36
SHA1 0fbaac8c23c753087600ebb60d88156c0e879cf4
SHA256 7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7
SHA512 28a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52

memory/2060-15-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1968-16-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2060-18-0x0000000013140000-0x000000001315C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 12:22

Reported

2024-07-18 12:24

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe restart" C:\Program Files (x86)\InstallDir\tr3x.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\InstallDir\\tr3x.exe" C:\Program Files (x86)\InstallDir\tr3x.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4228 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 3040 set thread context of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 set thread context of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3948 set thread context of 2952 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4952 set thread context of 2940 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2232 set thread context of 3896 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4856 set thread context of 1316 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 5092 set thread context of 2192 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 1328 set thread context of 4888 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 5096 set thread context of 1376 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 224 set thread context of 2460 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2008 set thread context of 1832 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 5080 set thread context of 4216 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3100 set thread context of 3340 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3804 set thread context of 2632 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3964 set thread context of 1952 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 1888 set thread context of 4564 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2668 set thread context of 3892 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4072 set thread context of 5096 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3448 set thread context of 2260 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2992 set thread context of 2776 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3004 set thread context of 4712 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4636 set thread context of 3804 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 1552 set thread context of 4564 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 1696 set thread context of 4888 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 344 set thread context of 4064 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2224 set thread context of 2248 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2292 set thread context of 2776 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 2112 set thread context of 4036 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\InstallDir\tr3x.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\InstallDir\tr3x.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A
N/A N/A C:\Program Files (x86)\InstallDir\tr3x.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 4228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe
PID 2192 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2192 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 3932 wrote to memory of 3040 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3040 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3040 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3040 wrote to memory of 4524 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4524 wrote to memory of 4120 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 4120 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 4120 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 4120 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 3932 wrote to memory of 3892 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3892 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3892 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3892 wrote to memory of 4828 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 4828 wrote to memory of 4348 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4828 wrote to memory of 4348 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4828 wrote to memory of 4348 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 4828 wrote to memory of 4348 N/A C:\Program Files (x86)\InstallDir\tr3x.exe C:\Windows\SysWOW64\svchost.exe
PID 3932 wrote to memory of 3948 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3948 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe
PID 3932 wrote to memory of 3948 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\InstallDir\tr3x.exe

Processes

C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\575be827aaf815b042eeb2f26256aa36_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Program Files (x86)\InstallDir\tr3x.exe

"C:\Program Files (x86)\InstallDir\tr3x.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2192-3-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2192-2-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2192-4-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2192-5-0x0000000013140000-0x000000001315C000-memory.dmp

memory/3932-9-0x0000000013140000-0x000000001315C000-memory.dmp

C:\Program Files (x86)\InstallDir\tr3x.exe

MD5 575be827aaf815b042eeb2f26256aa36
SHA1 0fbaac8c23c753087600ebb60d88156c0e879cf4
SHA256 7482550afd104fb717817aa4a366e6f5c91377b1add23dd3ee4986b6283589c7
SHA512 28a9767ee3ad3f260bafd4bd6cd30db3908fa63e6049df5b99e50f6cd5ec68d168a3cfa238fceba5e59626ea95b809cf0edebc5baa427ce1fcd989af8c958c52

memory/1476-11-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2192-12-0x0000000013140000-0x000000001315C000-memory.dmp

memory/4524-19-0x0000000013140000-0x000000001315C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 67b9ff6cf1683ec9b451c1d928b18f61
SHA1 2c54b6f9723228610e03ac1103d7f11294640e82
SHA256 2219b80ad57c2a072336f7d0ac0c06a30cbf2a35e953b277f53802ca31c80628
SHA512 e75b7e0ce8b51c19cf035adb2a28a730d8c8d81994afcb27f4815a09e83c779da6a468bc412f700540df229b7fc64ddaf7ef27df1492c0f1038466095dbbe7ca

memory/4120-23-0x0000000013140000-0x000000001315C000-memory.dmp

memory/4348-34-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1744-45-0x0000000013140000-0x000000001315C000-memory.dmp

memory/4928-56-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2880-67-0x0000000013140000-0x000000001315C000-memory.dmp

memory/3548-78-0x0000000013140000-0x000000001315C000-memory.dmp

memory/3392-89-0x0000000013140000-0x000000001315C000-memory.dmp

memory/3352-100-0x0000000013140000-0x000000001315C000-memory.dmp

memory/3948-111-0x0000000013140000-0x000000001315C000-memory.dmp

memory/4220-122-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1240-133-0x0000000013140000-0x000000001315C000-memory.dmp

memory/1752-144-0x0000000013140000-0x000000001315C000-memory.dmp

memory/2376-155-0x0000000013140000-0x000000001315C000-memory.dmp

memory/668-166-0x0000000013140000-0x000000001315C000-memory.dmp