andromeda | be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Size

252KB
MD5

a02b961480e8b7fc9313c6e2ae480442
SHA1

fa6243f289015a1a78a5fd28f3eba56d07c33f6b
SHA256

be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
SHA512

c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792
SSDEEP

6144:b1Wj/JCXHjMc5qKeMuFFKN0jb2ZlhdBJVjY/eRUExoJyOYHB7qY8zIK0GznuAXyk:pWj

Score

10^/10

andromeda backdoor botnet discovery persistence

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 2 IoCs

resource	yara_rule
behavioral1/memory/2788-23-0x0000000000020000-0x0000000000025000-memory.dmp	family_andromeda
behavioral1/memory/2788-27-0x0000000000020000-0x0000000000025000-memory.dmp	family_andromeda

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\38461 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mswyxr.cmd"	svchost.exe

Executes dropped EXE 29 IoCs

pid	Process
1500	49662594.exe
2064	49662594.exe
2656	49662594.exe
2968	49662594.exe
1396	49662594.exe
1772	49662594.exe
2884	49662594.exe
1620	49662594.exe
920	49662594.exe
2120	49662594.exe
388	49662594.exe
1760	49662594.exe
2736	49662594.exe
2272	49662594.exe
2312	49662594.exe
1976	49662594.exe
2596	49662594.exe
968	49662594.exe
2348	49662594.exe
2164	49662594.exe
3008	49662594.exe
2620	49662594.exe
2680	49662594.exe
1860	49662594.exe
1816	49662594.exe
2860	49662594.exe
2480	49662594.exe
1556	49662594.exe
2384	49662594.exe

Loads dropped DLL 58 IoCs

pid	Process
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 58 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	49662594.exe

Suspicious use of SetThreadContext 58 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 set thread context of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 set thread context of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 set thread context of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 set thread context of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 set thread context of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 set thread context of 2968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	38
PID 2408 set thread context of 2988	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	39
PID 2408 set thread context of 1396	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	43
PID 2408 set thread context of 2468	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	44
PID 2408 set thread context of 1772	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	46
PID 2408 set thread context of 2564	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	47
PID 2408 set thread context of 2884	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	49
PID 2408 set thread context of 1092	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	50
PID 2408 set thread context of 1620	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	52
PID 2408 set thread context of 1148	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	53
PID 2408 set thread context of 920	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	55
PID 2408 set thread context of 1548	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	56
PID 2408 set thread context of 2120	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	58
PID 2408 set thread context of 900	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	59
PID 2408 set thread context of 388	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	61
PID 2408 set thread context of 2076	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	62
PID 2408 set thread context of 1760	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	64
PID 2408 set thread context of 2756	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	65
PID 2408 set thread context of 2736	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	67
PID 2408 set thread context of 2828	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	68
PID 2408 set thread context of 2272	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	70
PID 2408 set thread context of 848	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	71
PID 2408 set thread context of 2312	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	73
PID 2408 set thread context of 1956	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	74
PID 2408 set thread context of 1976	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	76
PID 2408 set thread context of 2592	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	77
PID 2408 set thread context of 2596	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	79
PID 2408 set thread context of 1692	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	80
PID 2408 set thread context of 968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	82
PID 2408 set thread context of 1780	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	83
PID 2408 set thread context of 2348	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	85
PID 2408 set thread context of 2388	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	86
PID 2408 set thread context of 2164	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	88
PID 2408 set thread context of 1040	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	89
PID 2408 set thread context of 3008	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	91
PID 2408 set thread context of 2688	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	92
PID 2408 set thread context of 2620	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	94
PID 2408 set thread context of 3060	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	95
PID 2408 set thread context of 2680	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	97
PID 2408 set thread context of 2512	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	98
PID 2408 set thread context of 1860	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	100
PID 2408 set thread context of 2040	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	101
PID 2408 set thread context of 1816	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	103
PID 2408 set thread context of 1952	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	104
PID 2408 set thread context of 2860	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	106
PID 2408 set thread context of 1852	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	107
PID 2408 set thread context of 2480	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	109
PID 2408 set thread context of 448	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	110
PID 2408 set thread context of 1556	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	112
PID 2408 set thread context of 1916	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	113
PID 2408 set thread context of 2384	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	115
PID 2408 set thread context of 760	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	116

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mswyxr.cmd	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49662594.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1500	49662594.exe
2064	49662594.exe
2656	49662594.exe
2968	49662594.exe
1396	49662594.exe
1772	49662594.exe
2884	49662594.exe
1620	49662594.exe
920	49662594.exe
2120	49662594.exe
388	49662594.exe
1760	49662594.exe
2736	49662594.exe
2272	49662594.exe
2312	49662594.exe
1976	49662594.exe
2596	49662594.exe
968	49662594.exe
2348	49662594.exe
2164	49662594.exe
3008	49662594.exe
2620	49662594.exe
2680	49662594.exe
1860	49662594.exe
1816	49662594.exe
2860	49662594.exe
2480	49662594.exe
1556	49662594.exe
2384	49662594.exe

Suspicious behavior: MapViewOfSection 58 IoCs

pid	Process
1500	49662594.exe
1500	49662594.exe
2064	49662594.exe
2064	49662594.exe
2656	49662594.exe
2656	49662594.exe
2968	49662594.exe
2968	49662594.exe
1396	49662594.exe
1396	49662594.exe
1772	49662594.exe
1772	49662594.exe
2884	49662594.exe
2884	49662594.exe
1620	49662594.exe
1620	49662594.exe
920	49662594.exe
920	49662594.exe
2120	49662594.exe
2120	49662594.exe
388	49662594.exe
388	49662594.exe
1760	49662594.exe
1760	49662594.exe
2736	49662594.exe
2736	49662594.exe
2272	49662594.exe
2272	49662594.exe
2312	49662594.exe
2312	49662594.exe
1976	49662594.exe
1976	49662594.exe
2596	49662594.exe
2596	49662594.exe
968	49662594.exe
968	49662594.exe
2348	49662594.exe
2348	49662594.exe
2164	49662594.exe
2164	49662594.exe
3008	49662594.exe
3008	49662594.exe
2620	49662594.exe
2620	49662594.exe
2680	49662594.exe
2680	49662594.exe
1860	49662594.exe
1860	49662594.exe
1816	49662594.exe
1816	49662594.exe
2860	49662594.exe
2860	49662594.exe
2480	49662594.exe
2480	49662594.exe
1556	49662594.exe
1556	49662594.exe
2384	49662594.exe
2384	49662594.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2432	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2644	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2536	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2988	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2468	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2564	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1092	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1148	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1548	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
900	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2076	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2756	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2828	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
848	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1956	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2592	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1692	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1780	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2388	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1040	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2688	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
3060	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2512	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
2040	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1952	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1852	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
448	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
1916	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
760	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 1500	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 2408 wrote to memory of 2432	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	29
PID 1500 wrote to memory of 2788	1500	49662594.exe	30
PID 1500 wrote to memory of 2788	1500	49662594.exe	30
PID 1500 wrote to memory of 2788	1500	49662594.exe	30
PID 1500 wrote to memory of 2788	1500	49662594.exe	30
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2064	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2408 wrote to memory of 2644	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	33
PID 2064 wrote to memory of 2728	2064	49662594.exe	34
PID 2064 wrote to memory of 2728	2064	49662594.exe	34
PID 2064 wrote to memory of 2728	2064	49662594.exe	34
PID 2064 wrote to memory of 2728	2064	49662594.exe	34
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2656	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	35
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2660	2656	49662594.exe	37
PID 2656 wrote to memory of 2660	2656	49662594.exe	37
PID 2656 wrote to memory of 2660	2656	49662594.exe	37
PID 2656 wrote to memory of 2660	2656	49662594.exe	37
PID 2408 wrote to memory of 2536	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	36
PID 2408 wrote to memory of 2968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	38
PID 2408 wrote to memory of 2968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	38
PID 2408 wrote to memory of 2968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	38
PID 2408 wrote to memory of 2968	2408	a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2536
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2968
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1396
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1772
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2884
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:408
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1620
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:920
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2120
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:892
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:388
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1760
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2756
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2736
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2272
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:848
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2312
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1976
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2596
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:968
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:340
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1780
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2348
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:2332
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2164
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:1608
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3008
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2620
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2680
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1860
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1816
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2860
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2480
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:1000
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:448
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1556
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1916
- C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2384
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

Filesize
252KB

MD5
a02b961480e8b7fc9313c6e2ae480442

SHA1
fa6243f289015a1a78a5fd28f3eba56d07c33f6b

SHA256
be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120

SHA512
c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792

Download Submit
memory/1500-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2064-40-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2432-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-76-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2788-19-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2788-20-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2788-23-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2788-27-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2988-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download