09d06214b4129bf23f0ee0001011136c6b786de60ab46c47cc25273407d14703

Analysis

max time kernel
31s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Size

287KB
MD5

75ccb1d6acda4c4e3699e113ec85c6b1
SHA1

46601487f59c2541c3a2261d30d7f02934cee2f9
SHA256

09d06214b4129bf23f0ee0001011136c6b786de60ab46c47cc25273407d14703
SHA512

a087b09ef205b8c99bbd66aa77feefd017ddc8300b9abacb625a82bbf4d387198eb24f96ef9f9fb204d153c61b2b8a15d5810a43e4d35b3bbaa726f51c4275cd
SSDEEP

6144:fXA0P+lWaNXBr9YwrfhcS5Q7Uc8Fa8UgZflBMElhMmX4eR0s:j+7NXBr+wr5WQcca8UgZlBMElTGs

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1624-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1624-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1624-20-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2312-22-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1624-130-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2960-133-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1624-134-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1624-599-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1624-1411-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\55C.exe = "C:\\Program Files (x86)\\LP\\5192\\55C.exe"	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\5192\55C.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\5192\55C.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeexplorer.exeStartMenuExperienceHost.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{8E253CB6-F26C-4E00-A400-C9E0DB6F05A1}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{DAD2F617-0B6D-4C77-BA73-C6EAEA830211}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{37859BF5-F130-43E4-8CF4-2FE8ED563A4C}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

pid	process
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	1032	explorer.exe
Token: SeCreatePagefilePrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeCreatePagefilePrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeCreatePagefilePrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeCreatePagefilePrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeCreatePagefilePrivilege	4688	explorer.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe
4688	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid process

3040 StartMenuExperienceHost.exe
2980 StartMenuExperienceHost.exe

pid	process
3040	StartMenuExperienceHost.exe
2980	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	pid	process	target process
PID 1624 wrote to memory of 2312	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
PID 1624 wrote to memory of 2312	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
PID 1624 wrote to memory of 2312	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
PID 1624 wrote to memory of 2960	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
PID 1624 wrote to memory of 2960	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
PID 1624 wrote to memory of 2960	1624	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624

C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\2F95E\81051.exe%C:\Users\Admin\AppData\Roaming\2F95E
2⤵
- System Location Discovery: System Language Discovery
PID:2312

C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe startC:\Program Files (x86)\5EFB7\lvvm.exe%C:\Program Files (x86)\5EFB7
2⤵
- System Location Discovery: System Language Discovery
PID:2960

C:\Program Files (x86)\LP\5192\4735.tmp
"C:\Program Files (x86)\LP\5192\4735.tmp"
2⤵
PID:2588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2488

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\5192\4735.tmp

Filesize
102KB

MD5
57401a2069d022a5dc6ffee91de43906

SHA1
6e2850bde22f345739bf32031b2c2fb8850e0185

SHA256
9792c1645ecabeb90e2a61eb8a34ff0aa685eea55d61cbe47a667a3aca7e437b

SHA512
f4498f1ccf80bfd305f2b312e6e09b68271f1468cb3505120539bae7cf72a66609a5fcbd66ed5274fb466fa2c3dc13cf61f83ad3105303c333f19f696c3c96aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
d939a39ea46c39449434b928f546e513

SHA1
fa61eeaaa498b412359a026e8bc7bb86cea3b1fb

SHA256
9ece5a85b7e73ad5331d742370ee0e282ef3c862318488b85dc9c66826961515

SHA512
285b14114f0214eb2959ce405d31764e86216758c90c056113fdb39399af01fd4053ca80ab24f3af936fc3e19066eb11c64c4ceff7a689249e5d013d908bd639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
6e6b5658ba197c5ae4e1fd65a6f72ae6

SHA1
0f9185ee48174d116331e97b1351263e2aee2e21

SHA256
d31a4909f316c4239670191343c3460c17f09f3fb5accb70c2e2fe1760d0ecbc

SHA512
26dda9ae1f3aa64ba4d789647ab1149d1b5b96575eca897bc04e6a9e6995d2f944417dc2d13d91f5a564a7a1c51e86fb411edd3b5a64a55270ff0662114e48d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
18dbb0dea7278f274c01eb2cda8112f1

SHA1
9ef5b88be766da2738c76b8dea5f1f4f75725e62

SHA256
9feb45c8cb629b8047889285e042cce69ebc33e1039b08e924089af1ba452c90

SHA512
3c14c8ab31f6555a6f8120e6d2d1dc519fa6cf7bf8310ef251ddf90033caf5211ae3b69b218babbe1971613e89da46e7c3e2b0c82938c561550c503cb3a69ac4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133665521570750017.txt

Filesize
75KB

MD5
65bb435d80ace9f728221a1ae6ccfb7a

SHA1
fc6c750a4dae97f375c955d092bc91e7c64166d4

SHA256
86a9618db4ba5cdf18acd4a6cdcee7cd0f8c12d085674f8bfeeb050184b452f0

SHA512
bf20cdb790d6336a2e3756c2c0942ae1d16dc853ca583189f61d70d084f2855be5d9d66ee8339cf2cf8cf7bc257a2528df733583b128d06cc85381a74524f9d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F2CLGW5Q\microsoft.windows[1].xml

Filesize
97B

MD5
4a191d9fedda995f5909efbcfcb7027f

SHA1
22c748a1c01c2d69a6c742b4aae9d41703a4c960

SHA256
c7edba1e760f5de63d096bb30b059fe19b90fbbc65f677e0d2facf77271a79e7

SHA512
1162b6872f60e051c569b0b6c8d41bb49be3130373c62ce39bc83c698f5f9a99f75810bccfd7137f831463cbfaf5cd6f13b59d384de334ae1ad58a4c426b162c

Download Submit
C:\Users\Admin\AppData\Roaming\2F95E\EFB7.F95

Filesize
1KB

MD5
6e1f3b410ec7a4b1a132f2266784326d

SHA1
613b83fe5e113ba458347f79660cd44b925110e9

SHA256
f6df60d2bc0c4866cafd515e114d65787367b271656c94dce1f845c9a3d63339

SHA512
33c787c40df68c106c47453ede3df2c43cc8511235d0d8348adbced294243f9b3e82e6c0303e76f3b55ea0eab0cda44d31e9911ff6c251698b897f8b825c4ea7

Download Submit
C:\Users\Admin\AppData\Roaming\2F95E\EFB7.F95

Filesize
696B

MD5
6240bf5ddcaa8eefa05473adf58edcc7

SHA1
903d7d8e873f4567e12a849c5a59af832ed9d902

SHA256
7e11eb712b9883869452b7e954bf9aa66f9f87b788192235fcabe440121c828b

SHA512
c93eeb110f8d01537c48fc265d21d2fa68d536d279c67a2d0ef6dc04d4571daf8ee1df40a6497f4a7de2059f970802ca5538dcdc40d74de48042147cd8115701

Download Submit
C:\Users\Admin\AppData\Roaming\2F95E\EFB7.F95

Filesize
1KB

MD5
e8469cddc46d3df721200ab2455383c6

SHA1
5da65a3a1255d4ad5c908ca7cc673893082d28f7

SHA256
9dd725fade9634d205354db41946300c8b878ed86beff4dc7718a91ec9cd1b9b

SHA512
4f324afc3ea273cd95fa7e09ef62ef68c949894280578ca94d0297f435aafb4b72862212012b024702c66d9398c297807815b74f08354d419520d22dda00efa9

Download Submit
C:\Users\Admin\AppData\Roaming\2F95E\EFB7.F95

Filesize
300B

MD5
ea9d20c264ec5d01feac19774ddf8bb6

SHA1
b12be916aff0e994f291ff315149061aa4ad6898

SHA256
6e342533ea12f0ce77562c830db7ccea1e92af1576f022a455805d83873e9cae

SHA512
5d3e0d697d764de0cceaed32ffc9c7a69c9a440b68ded1b815f3603a025dab01254140bd8a4faf972b925633352badd12cea1da87bc254bca92bc4d3fcd6394a

Download Submit
memory/212-1559-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/448-1425-0x00000258141E0000-0x0000025814200000-memory.dmp

Filesize
128KB

Download
memory/448-1421-0x0000025814420000-0x0000025814440000-memory.dmp

Filesize
128KB

Download
memory/448-1451-0x00000258147F0000-0x0000025814810000-memory.dmp

Filesize
128KB

Download
memory/968-1060-0x0000024F5FB00000-0x0000024F5FC00000-memory.dmp

Filesize
1024KB

Download
memory/968-1063-0x0000024F60C60000-0x0000024F60C80000-memory.dmp

Filesize
128KB

Download
memory/968-1059-0x0000024F5FB00000-0x0000024F5FC00000-memory.dmp

Filesize
1024KB

Download
memory/968-1072-0x0000024F60C20000-0x0000024F60C40000-memory.dmp

Filesize
128KB

Download
memory/968-1058-0x0000024F5FB00000-0x0000024F5FC00000-memory.dmp

Filesize
1024KB

Download
memory/968-1078-0x0000024F61020000-0x0000024F61040000-memory.dmp

Filesize
128KB

Download
memory/1272-1413-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/1624-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1624-599-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-1411-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-134-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1624-20-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1732-1056-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2084-908-0x000001C4F4500000-0x000001C4F4600000-memory.dmp

Filesize
1024KB

Download
memory/2084-914-0x000001C4F5800000-0x000001C4F5820000-memory.dmp

Filesize
128KB

Download
memory/2084-933-0x000001C4F55C0000-0x000001C4F55E0000-memory.dmp

Filesize
128KB

Download
memory/2084-934-0x000001C4F5BD0000-0x000001C4F5BF0000-memory.dmp

Filesize
128KB

Download
memory/2312-22-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2588-567-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2924-1207-0x0000017A5D370000-0x0000017A5D470000-memory.dmp

Filesize
1024KB

Download
memory/2924-1208-0x0000017A5D370000-0x0000017A5D470000-memory.dmp

Filesize
1024KB

Download
memory/2924-1234-0x0000017A5E940000-0x0000017A5E960000-memory.dmp

Filesize
128KB

Download
memory/2924-1213-0x0000017A5E4D0000-0x0000017A5E4F0000-memory.dmp

Filesize
128KB

Download
memory/2924-1209-0x0000017A5D370000-0x0000017A5D470000-memory.dmp

Filesize
1024KB

Download
memory/2924-1228-0x0000017A5E490000-0x0000017A5E4B0000-memory.dmp

Filesize
128KB

Download
memory/2960-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3008-1205-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3440-608-0x0000029BF01B0000-0x0000029BF01D0000-memory.dmp

Filesize
128KB

Download
memory/3440-638-0x0000029BF0580000-0x0000029BF05A0000-memory.dmp

Filesize
128KB

Download
memory/3440-604-0x0000029BEF050000-0x0000029BEF150000-memory.dmp

Filesize
1024KB

Download
memory/3440-605-0x0000029BEF050000-0x0000029BEF150000-memory.dmp

Filesize
1024KB

Download
memory/3440-616-0x0000029BF0170000-0x0000029BF0190000-memory.dmp

Filesize
128KB

Download
memory/3676-449-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3680-906-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/4036-473-0x0000029F89940000-0x0000029F89960000-memory.dmp

Filesize
128KB

Download
memory/4036-451-0x0000029F88820000-0x0000029F88920000-memory.dmp

Filesize
1024KB

Download
memory/4036-453-0x0000029F88820000-0x0000029F88920000-memory.dmp

Filesize
1024KB

Download
memory/4036-452-0x0000029F88820000-0x0000029F88920000-memory.dmp

Filesize
1024KB

Download
memory/4036-456-0x0000029F89980000-0x0000029F899A0000-memory.dmp

Filesize
128KB

Download
memory/4036-483-0x0000029F89D50000-0x0000029F89D70000-memory.dmp

Filesize
128KB

Download
memory/4284-1560-0x000001449B100000-0x000001449B200000-memory.dmp

Filesize
1024KB

Download
memory/4392-601-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/4396-275-0x000001B574340000-0x000001B574440000-memory.dmp

Filesize
1024KB

Download
memory/4396-293-0x000001B575260000-0x000001B575280000-memory.dmp

Filesize
128KB

Download
memory/4396-309-0x000001B575880000-0x000001B5758A0000-memory.dmp

Filesize
128KB

Download
memory/4396-279-0x000001B5752A0000-0x000001B5752C0000-memory.dmp

Filesize
128KB

Download
memory/4396-274-0x000001B574340000-0x000001B574440000-memory.dmp

Filesize
1024KB

Download
memory/4688-272-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/5076-755-0x0000022393040000-0x0000022393140000-memory.dmp

Filesize
1024KB

Download
memory/5076-777-0x0000022394560000-0x0000022394580000-memory.dmp

Filesize
128KB

Download
memory/5076-765-0x0000022394150000-0x0000022394170000-memory.dmp

Filesize
128KB

Download
memory/5076-761-0x0000022394190000-0x00000223941B0000-memory.dmp

Filesize
128KB

Download
memory/5096-754-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download