pony | 2bc14e7cf691d033e0f7411d146ffbb8a7ed13f193330097f4cffac509cf2047

Analysis

max time kernel
66s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
Size

275KB
MD5

d13e98dacaf32c0078692be104ae89ab
SHA1

93f98d1995625c39d887180e585e50a1a90f8cd9
SHA256

2bc14e7cf691d033e0f7411d146ffbb8a7ed13f193330097f4cffac509cf2047
SHA512

508a6223b047d1d95ddb4c0e8e070c4d30a00c4d37b91e6f01b1b43d92c91b2768e34eef53f4fc117743f61f8383730b38d715008f341afd054fae1bf13a6030
SSDEEP

6144:WG/jt2hYYHUFJNKxA6dOR7CjcA09ehuKd+OjmDO4O+10Ucw:WCQh8ToKXYDfNkOjmDO4Qxw

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
4832	683.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4568-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4568-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2184-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4568-15-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/2184-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4568-126-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3628-128-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4568-710-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C92.exe = "C:\\Program Files (x86)\\LP\\A034\\C92.exe"	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\A034\C92.exe	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\A034\683.tmp	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\LP\A034\C92.exe	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{823D02CB-BC45-45C2-822C-549881000936}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{70F22BE0-29BB-4928-ABBC-B0E284A1ABCD}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{D27DE611-8CDC-468C-9AB1-25E1A0A8BBEF}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1420	msiexec.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	3516	explorer.exe
Token: SeCreatePagefilePrivilege	3516	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeCreatePagefilePrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
4696	explorer.exe
1520	explorer.exe
1520	explorer.exe
1520	explorer.exe
1520	explorer.exe
1520	explorer.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1592	StartMenuExperienceHost.exe
4584	StartMenuExperienceHost.exe
4216	SearchApp.exe
4124	StartMenuExperienceHost.exe
3540	SearchApp.exe
1168	StartMenuExperienceHost.exe
4404	SearchApp.exe
3484	StartMenuExperienceHost.exe
3668	StartMenuExperienceHost.exe
2512	SearchApp.exe
3408	StartMenuExperienceHost.exe
4716	SearchApp.exe
852	StartMenuExperienceHost.exe
4772	SearchApp.exe
3664	StartMenuExperienceHost.exe
3548	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2184	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	94
PID 4568 wrote to memory of 2184	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	94
PID 4568 wrote to memory of 2184	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	94
PID 4568 wrote to memory of 3628	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	98
PID 4568 wrote to memory of 3628	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	98
PID 4568 wrote to memory of 3628	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	98
PID 4568 wrote to memory of 4832	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	120
PID 4568 wrote to memory of 4832	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	120
PID 4568 wrote to memory of 4832	4568	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe	120

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4568
- C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\49A84\8CCA0.exe%C:\Users\Admin\AppData\Roaming\49A84
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d13e98dacaf32c0078692be104ae89ab_JaffaCakes118.exe startC:\Program Files (x86)\84393\lvvm.exe%C:\Program Files (x86)\84393
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628
- C:\Program Files (x86)\LP\A034\683.tmp
  "C:\Program Files (x86)\LP\A034\683.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
PID:1204

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4336

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4164

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\A034\683.tmp

Filesize
97KB

MD5
35ada42115983644d2693f236ad65c57

SHA1
c732b06d0db7c9e18c79c8af9ceb75120988f7f8

SHA256
73f21aa459b1f32253cd7a29ddb141108c7948ab398597ed63593dd74cd5f011

SHA512
f5a0456d2ae3474780da2ff603d909bb800fd8b8d6188a1381c5b2f04a58da603cef762c7f30813e66a295ecd3bdbd8522ad8e7afceb8ff93449e319cd0955e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
327dc8820fa46e204c74919c391f9328

SHA1
068ff2fe0bdace73badaf4569acfa081c66a0698

SHA256
44122c07d1232b70dc89700aa4d16ddf109c65180c1e003903c7146115fa050e

SHA512
83e039f3861cebba587b25d1ef2e48bd8d51202706b7a926621c1e973a4bac8801f4af323301130231c4d2b7e678bfeac1d1ccf131d0e2bd27b014cc0ddd2214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
a045a6473b40372f61079d039fd14ea3

SHA1
0d2264f7c20d02471d4fc30fcca99f62674f3eb3

SHA256
050f10dc0a92e9a35c92afafbc362bdd1c931532d464efed7cfc7666bf53e814

SHA512
a8d4a8e8036862af9342f81290de31bb4a1a900c8c97525f46b2dd59f2d8f1321fe6eea73f4a8b9f5c5f26ce48b876d0c927168eb19bd22086161fe414a2bc9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
c4dfc20c14e653821bd0e24ae74aa1c1

SHA1
3ff840c35f791240ad0fdde89105316a4b935a32

SHA256
99ba4f10497fbba8e61ca630931b9f11ed1498ed58c2e02dfc21b1f94db0d805

SHA512
1f7c74f0ecd7d1ad35abe2092452417f44aaaab7d866e05f30bcd7f152a77755c3122395dcbe2fe3d07af795749e59e5d90ddfdd2aa5cf690d4780a56ed685d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133701629308521077.txt

Filesize
75KB

MD5
86f5703d924e20f9e8430cada8db9909

SHA1
8bfd87d28a4327f752e2d99d4d5f8beb5b7d29f8

SHA256
b60ae2b44392d0c55a139ffaab6e01055d3189a4eabb93379e206f9a02f8e8e0

SHA512
6a2249489986dd77b757eb24dafdffcfab2dc51cbee6deda9adbc9b4d7ff1d02e1d358430323213bf85296b34a530ce59e59afbecbae21ed3bb92edde8f1c384

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BL9O2ALU\microsoft.windows[1].xml

Filesize
96B

MD5
71e0980a20933bf598e12d709b1f1a5d

SHA1
3d6f67f9eff69f233b551cf8f07fa6800974dc5a

SHA256
4266cb485dd87059ba81a2bc515a3ef64d051827c11a9ef5a4307d665965142e

SHA512
051df6f8285a96da086e45a2a09fe9552c1577ccf1e6529975eb94c27578e95bb3701fde098721ed309db7de67cb837063d4a052d16613b554b5e51574b243ca

Download Submit
C:\Users\Admin\AppData\Roaming\49A84\4393.9A8

Filesize
300B

MD5
c61b359e23eb217688719b9c3d85e3db

SHA1
42632cd7981a4e0ded6261dfbd032de373161818

SHA256
2b3f039ce095bac94ae285400a4cca0c98dbca11cfb5abd6db0bbf72d7bbc278

SHA512
20e63bec2f2917de0f21589a573f69b14d65a702c76cb12209eb37df6a1c66369521dfa8cbf9eeb56bbaba60812323b74bfb21b3ffca6a31475a54603c40b8da

Download Submit
C:\Users\Admin\AppData\Roaming\49A84\4393.9A8

Filesize
996B

MD5
c1c5df66a8ed2b969bc91de9ba79621e

SHA1
9470d525f6d9e9386a35187deddc67469147c76b

SHA256
ff8a72ea0902cb0e8dc9ba012d11619b0ff28e136d5eabafcf6bfef7d5144a19

SHA512
dea2d725bc5b6a3a823e5b8b3d68dee1817dc145c7273a621c08d872d18729be0d9fc8a3ce8cc90d36ff4f2c6e76e4ae506d62bf34a82d9af425cbe0374904ac

Download Submit
C:\Users\Admin\AppData\Roaming\49A84\4393.9A8

Filesize
600B

MD5
8b57396980f0817cca3e6644f17dad82

SHA1
850c8b95e73bf5611ba5d87a17b2c0ac7a56f925

SHA256
4a0f0276f1b954574d4534d77b4f916830af5b8af6a04d4701ad00c3dc23e455

SHA512
a8457f42ead6553864a5675a2a9c2eb489512cc710720ffb2fea342350ee5a1c82ebb5748ed8b404664b49b58aa6e9dddaa3369965ca429506ba625f9b516664

Download Submit
C:\Users\Admin\AppData\Roaming\49A84\4393.9A8

Filesize
1KB

MD5
262a3a119b1e32bdc7c16d18b6063775

SHA1
e90119e9226b336a10b47d187c25a98f8df0a920

SHA256
c13429a71490860c25204f9293f126dddf3957a1f411db0860c82659b4bf628f

SHA512
9608d917d44bee6cdeafb007eaa248e06752d78e90325adeb8637cf878b61dd47a76e062e77c792efc5a3566df65b0e3a7cf537c5b7f45ba8701831ac51f192f

Download Submit
memory/1204-1334-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1356-895-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1520-590-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/1680-283-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2184-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2184-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2512-748-0x000001D6A5740000-0x000001D6A5840000-memory.dmp

Filesize
1024KB

Download
memory/2512-751-0x000001D6A6690000-0x000001D6A66B0000-memory.dmp

Filesize
128KB

Download
memory/2512-763-0x000001D6A6650000-0x000001D6A6670000-memory.dmp

Filesize
128KB

Download
memory/2512-774-0x000001D6A6C60000-0x000001D6A6C80000-memory.dmp

Filesize
128KB

Download
memory/2512-747-0x000001D6A5740000-0x000001D6A5840000-memory.dmp

Filesize
1024KB

Download
memory/2512-746-0x000001D6A5740000-0x000001D6A5840000-memory.dmp

Filesize
1024KB

Download
memory/3444-1037-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3500-744-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3540-452-0x0000015BE9900000-0x0000015BE9A00000-memory.dmp

Filesize
1024KB

Download
memory/3540-451-0x0000015BE9900000-0x0000015BE9A00000-memory.dmp

Filesize
1024KB

Download
memory/3540-482-0x0000015BEAE30000-0x0000015BEAE50000-memory.dmp

Filesize
128KB

Download
memory/3540-455-0x0000015BEAA60000-0x0000015BEAA80000-memory.dmp

Filesize
128KB

Download
memory/3540-469-0x0000015BEAA20000-0x0000015BEAA40000-memory.dmp

Filesize
128KB

Download
memory/3540-450-0x0000015BE9900000-0x0000015BE9A00000-memory.dmp

Filesize
1024KB

Download
memory/3548-1197-0x00000197A1530000-0x00000197A1550000-memory.dmp

Filesize
128KB

Download
memory/3548-1224-0x00000197A1B00000-0x00000197A1B20000-memory.dmp

Filesize
128KB

Download
memory/3548-1192-0x00000197A0600000-0x00000197A0700000-memory.dmp

Filesize
1024KB

Download
memory/3548-1194-0x00000197A0600000-0x00000197A0700000-memory.dmp

Filesize
1024KB

Download
memory/3548-1210-0x00000197A14F0000-0x00000197A1510000-memory.dmp

Filesize
128KB

Download
memory/3628-128-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4216-320-0x0000027A4F940000-0x0000027A4F960000-memory.dmp

Filesize
128KB

Download
memory/4216-303-0x0000027A4F320000-0x0000027A4F340000-memory.dmp

Filesize
128KB

Download
memory/4216-289-0x0000027A4F360000-0x0000027A4F380000-memory.dmp

Filesize
128KB

Download
memory/4216-284-0x0000027A4E400000-0x0000027A4E500000-memory.dmp

Filesize
1024KB

Download
memory/4388-1336-0x000001EC7A390000-0x000001EC7A490000-memory.dmp

Filesize
1024KB

Download
memory/4388-1337-0x000001EC7A390000-0x000001EC7A490000-memory.dmp

Filesize
1024KB

Download
memory/4404-597-0x000001BDB6140000-0x000001BDB6160000-memory.dmp

Filesize
128KB

Download
memory/4404-608-0x000001BDB6100000-0x000001BDB6120000-memory.dmp

Filesize
128KB

Download
memory/4404-629-0x000001BDB6500000-0x000001BDB6520000-memory.dmp

Filesize
128KB

Download
memory/4404-592-0x000001BDB5000000-0x000001BDB5100000-memory.dmp

Filesize
1024KB

Download
memory/4568-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4568-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-710-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4568-126-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4696-448-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4716-925-0x000002049F4E0000-0x000002049F500000-memory.dmp

Filesize
128KB

Download
memory/4716-902-0x000002049EF00000-0x000002049EF20000-memory.dmp

Filesize
128KB

Download
memory/4716-911-0x000002049EBC0000-0x000002049EBE0000-memory.dmp

Filesize
128KB

Download
memory/4716-897-0x000002049E000000-0x000002049E100000-memory.dmp

Filesize
1024KB

Download
memory/4716-898-0x000002049E000000-0x000002049E100000-memory.dmp

Filesize
1024KB

Download
memory/4772-1076-0x0000012513040000-0x0000012513060000-memory.dmp

Filesize
128KB

Download
memory/4772-1054-0x0000012512C30000-0x0000012512C50000-memory.dmp

Filesize
128KB

Download
memory/4772-1039-0x0000011D10B20000-0x0000011D10C20000-memory.dmp

Filesize
1024KB

Download
memory/4772-1044-0x0000012512C70000-0x0000012512C90000-memory.dmp

Filesize
128KB

Download
memory/4772-1040-0x0000011D10B20000-0x0000011D10C20000-memory.dmp

Filesize
1024KB

Download
memory/4832-591-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5012-1191-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download