Malware Analysis Report

2025-01-02 02:19

Sample ID 240718-xk4cfavekb
Target 58a694a55501370daf4590f2eba2dd0a_JaffaCakes118
SHA256 ed52802436fcb6a174d5ae4970629bbeb7104f46ca09e9d3022a34cc178044c4
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed52802436fcb6a174d5ae4970629bbeb7104f46ca09e9d3022a34cc178044c4

Threat Level: Known bad

The file 58a694a55501370daf4590f2eba2dd0a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Xtremerat family

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 18:55

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 18:55

Reported

2024-07-18 18:58

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 872 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 872 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 872 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 4536 wrote to memory of 3080 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3080 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3080 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 1392 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 1392 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 1392 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5032 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5032 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5032 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4404 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4404 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4404 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3480 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3480 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3480 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4756 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4756 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4756 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5044 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5044 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 5044 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4228 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe
PID 4536 wrote to memory of 4228 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe
PID 4536 wrote to memory of 4228 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe
PID 4228 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

MD5 58a694a55501370daf4590f2eba2dd0a
SHA1 dd31724678aac259763eb774db2b1d38568108d8
SHA256 ed52802436fcb6a174d5ae4970629bbeb7104f46ca09e9d3022a34cc178044c4
SHA512 92de95a9a2ab275a1f4be120b5eac54dd9e7e5a62f2a1f75647b1d55959984fba85a5e296650d165f8da6c8746553e1f32c0ad7e09e87aecd3b3b30a1bf5aaae

memory/872-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\W2M5uWrX.cfg

MD5 81efa59f1205fae534cb6423185b73dc
SHA1 89b68f58f5183851d03ab96093f260a8fe84a80b
SHA256 a1823810ccc68462fa112921c050379adb6658f4de7a13a482c9dba7165aaa9d
SHA512 1068e94ec9a23243b2ae3bdf30233af8db1d0981663c8e69848a5d9d785678330655c8686e4c140e566804dd3a2278dc6e2c6b7d87ea4ce13d739671e2629ced

memory/4536-21-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4228-33-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2660-45-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4988-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3684-69-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4488-81-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/900-93-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3196-105-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1488-117-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2748-129-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4832-141-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1448-153-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4544-165-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4632-177-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4520-189-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1780-201-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2280-213-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2408-225-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3716-237-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1888-249-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5428-261-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5668-270-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5840-279-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/6060-288-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3020-297-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5300-306-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5404-315-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5392-324-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2496-333-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1424-342-0x0000000000C80000-0x0000000000C93000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 18:55

Reported

2024-07-18 18:58

Platform

win7-20240708-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe restart" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe restart" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
N/A N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\UpDwindows\\scvhot.exe" C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\UpDwindows\\scvhot.exe" C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File created C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A
File opened for modification C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 2252 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 2252 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 2252 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe C:\Windows\SysWOW64\UpDwindows\scvhot.exe
PID 2216 wrote to memory of 2572 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2572 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2572 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2572 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2572 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2792 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2792 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2792 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2792 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2792 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2500 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2500 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2500 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2500 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2500 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2824 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2824 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2824 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2824 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2824 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpDwindows\scvhot.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\58a694a55501370daf4590f2eba2dd0a_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\UpDwindows\scvhot.exe

"C:\Windows\system32\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe

"C:\Users\Admin\AppData\Roaming\UpDwindows\scvhot.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

\Windows\SysWOW64\UpDwindows\scvhot.exe

MD5 58a694a55501370daf4590f2eba2dd0a
SHA1 dd31724678aac259763eb774db2b1d38568108d8
SHA256 ed52802436fcb6a174d5ae4970629bbeb7104f46ca09e9d3022a34cc178044c4
SHA512 92de95a9a2ab275a1f4be120b5eac54dd9e7e5a62f2a1f75647b1d55959984fba85a5e296650d165f8da6c8746553e1f32c0ad7e09e87aecd3b3b30a1bf5aaae

memory/2252-11-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\W2M5uWrX.cfg

MD5 81efa59f1205fae534cb6423185b73dc
SHA1 89b68f58f5183851d03ab96093f260a8fe84a80b
SHA256 a1823810ccc68462fa112921c050379adb6658f4de7a13a482c9dba7165aaa9d
SHA512 1068e94ec9a23243b2ae3bdf30233af8db1d0981663c8e69848a5d9d785678330655c8686e4c140e566804dd3a2278dc6e2c6b7d87ea4ce13d739671e2629ced

memory/2216-23-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2628-36-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2912-46-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2840-58-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/292-68-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/664-82-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1296-91-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1536-104-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2368-115-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1044-127-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2144-137-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2680-150-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2128-160-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2084-173-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1212-183-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/860-193-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2616-201-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1540-210-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1664-218-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2504-227-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2304-228-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2304-229-0x00000000776B0000-0x00000000777CF000-memory.dmp

memory/2304-230-0x00000000777D0000-0x00000000778CA000-memory.dmp

memory/1416-239-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/708-247-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/832-256-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2704-264-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3128-273-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3260-281-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3400-290-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3536-298-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3668-307-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3804-315-0x0000000000C80000-0x0000000000C93000-memory.dmp