7aa8352a757bd4545c26aa551e1c382da3d5727b5e9ef425f9f5316afd468dd6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe
Size

3.3MB
MD5

11d83f00a0f480dc5609bb68e62d4287
SHA1

de670578e74dfd7cd1e1cf70e54ea79b2c1cea2d
SHA256

7aa8352a757bd4545c26aa551e1c382da3d5727b5e9ef425f9f5316afd468dd6
SHA512

83642bf2f480fa332c38fa50421439949aa17081464d20719eb9c38e13641edc0100fc9a3a8602d45c3a2d4cef0380b0fba692a8eff89527ae9fe4152558e741
SSDEEP

49152:5ahFLDmpBrigsKljDPPPUql5RmcXBfvLtiVZboISO7oemwu8zlg1quZn+6HnTO9+:QPaPGgtUXcXBXYUm7o2uKC+Iq8

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
1872	7art Dinosaurs 2.scr
1472	ScreensaverAcPro.exe
1248	ScreensaverAcPro.tmp
6084	7art Dinosaurs 2.scr
4060	FireFoxExtension.exe
4908	ChromeSetSearchInBrowser.exe
3744	InstTracker.exe

Loads dropped DLL 5 IoCs

pid	Process
2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
1248	ScreensaverAcPro.tmp
6124	regsvr32.exe
2628	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "SuggestMeYesBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "SuggestMeYesBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AutocompletePro\is-U0O83.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files\Mozilla Firefox\searchplugins\acpro.xml	FireFoxExtension.exe
File created	C:\Program Files (x86)\AutocompletePro\is-T8AN5.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-R48D4.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\is-66P6C.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-8828P.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-LG513.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-D2FRT.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\defaults\preferences\is-B4BBD.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\chrome\is-5D915.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\unins000.dat	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\64\is-4O93L.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-58TJE.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-MMF3G.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\is-CRDLO.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-CL5NR.tmp	ScreensaverAcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-4FIJJ.tmp	ScreensaverAcPro.tmp
File opened for modification	C:\Program Files (x86)\AutocompletePro\unins000.dat	ScreensaverAcPro.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\is-8JJO7.tmp	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreensaverAcPro.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7art Dinosaurs 2.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7art Dinosaurs 2.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreensaverAcPro.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop	Rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\7ARTDI~1.SCR"	Rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveActive = "1"	Rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	Rundll32.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\URL = "http://search.autocompletepro.com/?si=10196&bi=400&q={searchTerms}"	ScreensaverAcPro.tmp
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Search	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchURI\(Default) = "http://search.autocompletepro.com/?si=10196&bi=400&q=%s"	ScreensaverAcPro.tmp
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\SearchUrl	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Search Page = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\SearchURI	ScreensaverAcPro.tmp
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	ScreensaverAcPro.tmp
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\SearchScopes	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\(Default) = "http://search.autocompletepro.com/?si=10196&bi=400&q=%s"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Default_Page_URL = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "Web Search"	ScreensaverAcPro.tmp

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.autocompletepro.com/?si=10196&bi=400"	ScreensaverAcPro.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32\ = "C:\\Program Files (x86)\\AutocompletePro\\AutocompletePro.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ = "ISuggestMeYesBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\ = "AC-Pro"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutocompletePro.DLL\AppID = "{442F13BC-2031-42D5-9520-437F65271153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "AC-Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ = "ISuggestMeYesBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer\ = "SuggestMeYes.SuggestMeYesBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ = "C:\\Program Files (x86)\\AutocompletePro\\AutocompletePro.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID\ = "SuggestMeYes.SuggestMeYesBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "AC-Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AutocompletePro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID\ = "SuggestMeYes.SuggestMeYesBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32\ = "C:\\Program Files (x86)\\AutocompletePro\\64\\AutocompletePro64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutocompletePro.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\ = "AC-Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}\ = "AutocompletePro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ = "C:\\Program Files (x86)\\AutocompletePro\\64\\AutocompletePro64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer\ = "SuggestMeYes.SuggestMeYesBHO.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4908	ChromeSetSearchInBrowser.exe
4060	FireFoxExtension.exe
4060	FireFoxExtension.exe
4024	msedge.exe
4024	msedge.exe
1644	msedge.exe
1644	msedge.exe
5696	identity_helper.exe
5696	identity_helper.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	ChromeSetSearchInBrowser.exe
Token: SeDebugPrivilege	4060	FireFoxExtension.exe
Token: SeDebugPrivilege	3744	InstTracker.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2824	3172	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe	82
PID 3172 wrote to memory of 2824	3172	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe	82
PID 3172 wrote to memory of 2824	3172	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe	82
PID 2824 wrote to memory of 1872	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	83
PID 2824 wrote to memory of 1872	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	83
PID 2824 wrote to memory of 1872	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	83
PID 2824 wrote to memory of 4764	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	85
PID 2824 wrote to memory of 4764	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	85
PID 2824 wrote to memory of 4764	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	85
PID 2824 wrote to memory of 1472	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	86
PID 2824 wrote to memory of 1472	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	86
PID 2824 wrote to memory of 1472	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	86
PID 1472 wrote to memory of 1248	1472	ScreensaverAcPro.exe	87
PID 1472 wrote to memory of 1248	1472	ScreensaverAcPro.exe	87
PID 1472 wrote to memory of 1248	1472	ScreensaverAcPro.exe	87
PID 4764 wrote to memory of 6084	4764	Rundll32.exe	88
PID 4764 wrote to memory of 6084	4764	Rundll32.exe	88
PID 4764 wrote to memory of 6084	4764	Rundll32.exe	88
PID 1248 wrote to memory of 6124	1248	ScreensaverAcPro.tmp	89
PID 1248 wrote to memory of 6124	1248	ScreensaverAcPro.tmp	89
PID 1248 wrote to memory of 6124	1248	ScreensaverAcPro.tmp	89
PID 1248 wrote to memory of 2628	1248	ScreensaverAcPro.tmp	90
PID 1248 wrote to memory of 2628	1248	ScreensaverAcPro.tmp	90
PID 1248 wrote to memory of 2628	1248	ScreensaverAcPro.tmp	90
PID 2824 wrote to memory of 1644	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	91
PID 2824 wrote to memory of 1644	2824	11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp	91
PID 1248 wrote to memory of 4060	1248	ScreensaverAcPro.tmp	92
PID 1248 wrote to memory of 4060	1248	ScreensaverAcPro.tmp	92
PID 1644 wrote to memory of 2876	1644	msedge.exe	93
PID 1644 wrote to memory of 2876	1644	msedge.exe	93
PID 1248 wrote to memory of 4908	1248	ScreensaverAcPro.tmp	95
PID 1248 wrote to memory of 4908	1248	ScreensaverAcPro.tmp	95
PID 1248 wrote to memory of 3744	1248	ScreensaverAcPro.tmp	97
PID 1248 wrote to memory of 3744	1248	ScreensaverAcPro.tmp	97
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99
PID 1644 wrote to memory of 4416	1644	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\is-O4G8T.tmp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O4G8T.tmp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp" /SL5="$502B4,3102915,54272,C:\Users\Admin\AppData\Local\Temp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\7art Dinosaurs 2.scr
    "C:\Windows\7art Dinosaurs 2.scr"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1872
- - C:\Windows\SysWOW64\Rundll32.exe
    "Rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\7art Dinosaurs 2.scr
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\7art Dinosaurs 2.scr
      "C:\Windows\7art Dinosaurs 2.scr" /p 196708
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6084
- - C:\Users\Admin\AppData\Local\Temp\is-JTCFT.tmp\ScreensaverAcPro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-JTCFT.tmp\ScreensaverAcPro.exe" /VERYSILENT /NORESTART
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\is-INOJ4.tmp\ScreensaverAcPro.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-INOJ4.tmp\ScreensaverAcPro.tmp" /SL5="$30256,550207,54272,C:\Users\Admin\AppData\Local\Temp\is-JTCFT.tmp\ScreensaverAcPro.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s AutocompletePro.dll
        5⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\syswow64\regsvr32.exe" /s AutocompletePro64.dll
        5⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
    - - C:\Program Files (x86)\AutocompletePro\FireFoxExtension.exe
        
        "C:\Program Files (x86)\AutocompletePro\FireFoxExtension.exe" -source:"C:\Program Files (x86)\AutocompletePro\[email protected]" -guid:[email protected] -siteid:10196 -search
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Program Files (x86)\AutocompletePro\ChromeSetSearchInBrowser.exe
        
        "C:\Program Files (x86)\AutocompletePro\ChromeSetSearchInBrowser.exe" -siteid:10196
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Program Files (x86)\AutocompletePro\InstTracker.exe
        
        "C:\Program Files (x86)\AutocompletePro\InstTracker.exe" -install -cs:true -si:10196 -ver:1.1 -dir:"C:\Program Files (x86)\AutocompletePro"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.7art-screensavers.com/7art-screensavers-land2.shtml
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa089646f8,0x7ffa08964708,0x7ffa08964718
      4⤵
      PID:2876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
      4⤵
      PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:1760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
      4⤵
      PID:5548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
      4⤵
      PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4758533696965829698,7501733906150127728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AutocompletePro\64\AutocompletePro64.dll

Filesize
95KB

MD5
832f6d78a1d40a2e885bd2ad5da78f81

SHA1
c2e29eac683b32cf1aca4821168bfbe387ba4583

SHA256
2df9294468c6abd848c50b6175dad2d54bc51b6fb112643012ee16fd77d2a367

SHA512
3f036f11aa70a5b1a76ee81a1100d6905753e6ac87d69d618608ffaffcea059ad1471db2d3a65d29bae5ef539cfa3dc764a49aa59622ff60728582c5e54d8d38

Download Submit
C:\Program Files (x86)\AutocompletePro\AutocompletePro.dll

Filesize
95KB

MD5
4257cda1092d06d177a20375d8ebaa8c

SHA1
857628be2a2e56b5c998a580f303d79f5e02d51b

SHA256
99b4a1da0ce3cc0aa06ff6ab5f189fefcabda127c72562c56caef166474b31ed

SHA512
7fb0d6d2ecdcb1c2d5efa08ee684c14eda73c1e049ade8280437877b977d3339e07162db663143fb3a52f2e56f74dfe338788228c09fe5f06ca96959eaf780ea

Download Submit
C:\Program Files (x86)\AutocompletePro\ChromeSetSearchInBrowser.exe

Filesize
12KB

MD5
600a44d37b6a8ea2e3f9e6c60493832d

SHA1
50f87639a89164ac09ed0817c6ca93c5f4cff420

SHA256
dbca8907daeeabdfcb4abf1c73f9d330623adbc7eb717eb33a90a2f9791b9429

SHA512
daca92f97f20ef3d0feb0c54fcdb1631a26f0fa508767b1cce6b514f7f4551d08d64afd6003c2e97c5d0632e814613357cfcdca9559847ecb10e5fa90b009493

Download Submit
C:\Program Files (x86)\AutocompletePro\FireFoxExtension.exe

Filesize
17KB

MD5
9e408d9de018be9a289237b64f7f3558

SHA1
0660c6b0d17fda1ec39ad7e94982848b8ff83601

SHA256
6983434a056952498999421b5a4f112a5652dea2b03548218ee642d6ae65cc7f

SHA512
917e2ea85ecbf274494c1710db3e3a8f1fd6d6b656a837396bfaee1f8c2339a3407c8d209270fce5a9064d1a24b34ed897658cd5a6a6696bca16e99f69aa7597

Download Submit
C:\Program Files (x86)\AutocompletePro\InstTracker.exe

Filesize
10KB

MD5
ea2117a4e21ec4c8945671e4b747653a

SHA1
0f9226138a65c55e5770232b2f5747c49cac9912

SHA256
5d66ac0769c99ad3ade8bf7ae0ba9d8e94e4e5327d50f1ef27df4d6b2f3eb455

SHA512
840689ae4f6c5926a63524fa535fa83d7d7ec7b3f7771a0c30789918e61b0b763acf18b5150db8e85c8eb791d7313bc41a9e433290427cbf26683621b3a506ad

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\chrome.manifest

Filesize
176B

MD5
5bf813fadd66689e5bbafaedf6ac5857

SHA1
1caa30bea85509123d40c00786e2b83191a55bba

SHA256
ca572f1885f44970238dbbf80150741364726d9a742892f9b72535a6d632083c

SHA512
6b559824acb69ffec629e697971c80fad78315ffcbf3daf5296b11ac0cb1d7f808ac01f421f0d71699fe6eaa8ea1e73fb5c5a27a5b2662050bf9cb8f8ae3a643

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\browserOverlay.xul

Filesize
4KB

MD5
a9faec5cb812c6bd71dd1ef1ef14e82b

SHA1
cecce79afdf90be407ab7f3ffda4ddb65501297a

SHA256
3318f5f2a3750de6b020fa90f5193ef511d1f331b0548488a70cbf5cc6e2aefd

SHA512
10112c710737c4a0f323561abcee6caa47213fc26d35393c4323ecca00399f2ad4cd01258c66046793d3eb6578f113252fb1df2c977db8b43ec578f532dcaf6f

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\options.js

Filesize
32B

MD5
c29df68b8bc24772ac61504fa1677afe

SHA1
e72be81ac24e18abba88d1acd0badf93b6bbde60

SHA256
f7e349c1408ab33707a91ed93829412a4365c83d6a97d8e4eb926e029fafcdf1

SHA512
216df1be65111df0d2e8fb1504f478fdef546fab2e1acca1e9a2e213ef85d1ea9d4cf7a1691c0001c237eef8300cd321b95d2009c6f0d58b2d40644520bfaf4b

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\options.xul

Filesize
496B

MD5
4216dae17fc46779596b35e4f14b36fa

SHA1
e6954094d1aa235cac709dd0a9240522a8086628

SHA256
d4d57bddfc62081656edc0060725c1b089ed5b64eea05ce59f447edb13ecabca

SHA512
d2995b1ff4eb04a9be78967e056dd6f1dd0154fc971993ab7017b121be917219a872ac904efe80f4611dbdcf904a8167c6a77cd5a5348e96e792ac18c9651810

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\defaults\preferences\predictad.js

Filesize
373B

MD5
aafce2cf73cb7bc60c7621893001ba6c

SHA1
740bd0206c5beccc3f8f727fedf483b51edecdfc

SHA256
ea2a8545a390026ca4efed437ca07466fba2abe3171d30271000a20aed3440e1

SHA512
32421c7719e232aa0a8151efe8cedcafd5f6f42833c95e224609772da8e0916df54db416cec13d85da38545e4aef61bdc76cf31383bf423085232e49045ba104

Download Submit
C:\Program Files (x86)\AutocompletePro\[email protected]\install.rdf

Filesize
1KB

MD5
64a7a1e88e9966dfafaf702c3d7e6034

SHA1
a5bf67d080b5bd8c384159add5c4510567e60655

SHA256
bff928524f47136c81f707633507c81a44a9ae6de50924fb2917a0c505085b1f

SHA512
7144e6421f2f99232201982074427c11810d96d06f666f031d8971fb792810a8f94d972211d9404fa2c80c08c2e216a3b2ac4bdbd13a98fcdeea490c07ab1db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
45a1f844b6b0578cbec2afeb830d20d7

SHA1
23752a2b7e54695503b14db116b7aa3a743e9b9f

SHA256
878067f2c596339c7104a65414dbcdd36ed5fa320aa824fec00543324b1ccd43

SHA512
f7918674a6f63ac23286e3a6dabc3ab77b9d6036e0e7f8aac47141f5b09032ff78ce6bebc83610146396ea0ed32c6726493fc0325f1f992776d120fa8d0c86cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1f3b6bfc9cb0b234fde009610b19bfe3

SHA1
a6d752d28679c8a90ee921ba21e8c300eaf9ab21

SHA256
3f1cdf3279148ac2cfbb7cd0b6883108483b701bcc1e2e85babfccb44ff30a39

SHA512
1a39002ec83ce8764961a8eff654116c9e146a902ebc8ef02b6e1b7f9540416334c3d1fe6c6a881e8dc32030e77c9f9b170df16bef3fc150e4d37e98bd623dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aef3d9572068ca2c4f549f8f38dd301b

SHA1
ec80d93d87cdb3b536f691d9dd6c9cd6ab2bebe1

SHA256
9f72a5ba2f7380c561ef7814162a0a9bf1cf736ccc772bc85f2f0cf5c9cf924c

SHA512
b226e783054baf7cfecd53ffc487dc495cb3964a6cf267e9f0069f3823e61fee3936893ca207ee8eb17570ba818d293f4426f8a3fa4a19f4139ec4a2c3fb1e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e3c4bee9aaacfdc349341d752630417

SHA1
64e77752e541efb786a4cad7edfed4b5299e4bf3

SHA256
f335e5946914bb0426049f835ea29f473bbf2c55877f21910e41779da951295a

SHA512
6c7c5f2214172fe39feb8d5bf55a295e87223744ef03669c3fd0afefc406c3a352c03a89a60c99aba88475d554034d28efe9b653f807b8834af541da98abd7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6fe3cf936ceaa51842852a04024d9139

SHA1
f7e919dacd2aa7132eb4dd5da0d32c7c916e1dab

SHA256
0792d0de920d10d380567e4cb91e000791c171a6ca387cd9759d6832ad2523df

SHA512
82ca0e6b3ebb65eacc7ca3adf3688329e2b771db31d50e1729f53e125b03286eb42adbe3c7b2429207f29d04e940dd7fd61482bba15a0ab955925deac8a0127d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b7a14c5aff962f436c4f649329dc1761

SHA1
8a13df07d33878e5f94cddeb8c548419a171ab85

SHA256
b1283a64658fbadd06828438aecedea0f8de98c6245e243670d771713662b10a

SHA512
7c6b5f24e2910f7158239c0ec7d841d0ec598e1c39566d8182f209b7ff77a7901ae9423af3b7ec8fad5060ca1e20e745769bf797297dd55e36b4f8e3a8b24988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
05f6f9b3a33cdc2873de2388df2f026f

SHA1
15805569331f272e574f8a6bdb72b10d08c1a786

SHA256
b803f457902bca0381f33c815c8cc579b479f48ef28a32359ebcaaa8ddd6822e

SHA512
b5aa24b0f612199c57a273506f01fae7494fa473cc2384e4d26f843c320dff4d40fe1240d7bae8a2426f7e80b7d55df7b8dbeb412253203e440f9e3e30742a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
11a638b9d1976e8bfe6e847bc9fb054a

SHA1
4f7e946efb7fe52a581fe2ebc687bc0e88458f74

SHA256
00da98326af27ffa518a7a7ebe243bed67d83c5737f27150aa486db9b5e0cd3a

SHA512
cff6583ab5fb5f70778a65f07ecf0e811f63e56c2b5d8e44fa9558803f7fd9164314abfc156982a7e0a58cdd2d0d91c68ffbdc16742e89556fc5424a331514e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-INOJ4.tmp\ScreensaverAcPro.tmp

Filesize
694KB

MD5
f0ccfb46f867443700d31c969bdcf552

SHA1
f2474d5d7a906de3bc3381ca79bb1ea60f0d6697

SHA256
54bb849d30567d5f10ac359f8b503732a3fcd76ad7cc72007eab843b784367bb

SHA512
71c7de53d1db03f1149c3e82fd92842cbd284d17c981267b20290f8d54baf2b578f7830f64eb5308c82cf4aff4f1937586624c2769da74a463c8d4ebdcbe45ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTCFT.tmp\ScreensaverAcPro.exe

Filesize
803KB

MD5
743449cb3384523469a85b660293802b

SHA1
d5ea01ba11d93a03174575a286be4639a580875b

SHA256
3d9361afa7f3b836a905dd625d16e936c865a47d306dd2a0c266943b06b88ccb

SHA512
1cb21d98798b2c6dd08927b4e6fc085ac310613e936660cefb330677b8f8e2bc0f0fc67682cf363f283d5bc5aa615ce459b36dfd0a1974ae0277aaabc63bd650

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTCFT.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O4G8T.tmp\11d83f00a0f480dc5609bb68e62d4287_JaffaCakes118.tmp

Filesize
687KB

MD5
c080f73b1bdde0853cb0258d9a02b0ec

SHA1
a5112a53e6e75069ac06b7bbd658f7cf2c8f2dee

SHA256
a0cfbc8da39ad4a4d21c61d73873d225ffa5d7650fae5938ab643f719d5f7363

SHA512
e514be3f983de22c0f67bac318686b7fe75cb6fd9832f3603077ad25c559155b7df71555b92bb6366835a104c8d2828cec2766fb7f855bd3f79f66319d6a5eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEGM3.tmp\IssProc.dll

Filesize
184KB

MD5
8eae382eabf41d58cb4e4f6bccb48bca

SHA1
104b402efcf67cfb885d3d5f2c3cbad9837c6fd2

SHA256
154cb086cf647d673cc0646ab3db30e2c68974743eb8348cd3d77113bd15d18b

SHA512
bc1d46e2b91b51c2adb84f6fa08cb5c0c95909fd7761e0a19a6db8e7f6a0e768d575530dd920e722ba5440cfcdee48677d3260bae473bced72a1a1c62ab0e469

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEGM3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\free-slideshow\7art Dinosaurs 2\Info\Alien-Clock.ico

Filesize
203KB

MD5
95af3510fa2a4362b6d4f33497d22b3d

SHA1
a4bd775802ca9895455498185cbf71754788a96f

SHA256
5a944508d39861863119aa540e9a9939cb872b59ce487389af85f6b97a76ff84

SHA512
0818e4924a042e794f914a3c2860d2d73d7645e96919bcc3f1d26c4a10fe40b88b7bad7374a98ae8bc27a2fb7a4e71c5e86b35a7df00f5a016e143f8e1ebc155

Download Submit
C:\Users\Admin\AppData\Roaming\free-slideshow\7art Dinosaurs 2\Info\ScreensaverSky.ico

Filesize
203KB

MD5
6586347e1de35fab12fb90075a3d1f58

SHA1
ef6e4cacdd2692ea7af37723ea10bbc29341af64

SHA256
1d5bc5acb6d6728d8145827798d0d91e0887bbd63e5e95baf19d425bc3f9c36c

SHA512
0a84ecee7fb20865598b37fceec45951a6788fecf60a8f35c89234373a5305b27098e0b3f6e38b722906ed661ad2bd3f828e484fd2b4b046df2bbc8e7de799dd

Download Submit
C:\Users\Admin\AppData\Roaming\free-slideshow\7art Dinosaurs 2\Info\dc.ico

Filesize
25KB

MD5
a3badccb6589905a0e41c032fc74c445

SHA1
569cea65b331d6d3ddf76d7d678f8fd7e8fc575f

SHA256
1afa561236acb340a1c385b384f8721e43dbf1af59475df2881d5f35334f348a

SHA512
760941f58a8afaf246e3904b79fddddf916e6bb0fd0348a8f047210d4022e011ac24c261c1a192de07c918048e4607918aecacb37359f7cf0ee2a066bbfc6312

Download Submit
C:\Users\Admin\Desktop\Run 7art Dinosaurs 2.lnk

Filesize
1KB

MD5
0e5cb2a72884ea096b536f4d950808fb

SHA1
ed986a01d43f875cd169214f1c804e8522aaf244

SHA256
a1e2863acabf8e127122f9a06ce3eeb2179353a621a93fbd6e7dffd1437de300

SHA512
f107580271dc817eff892e92e29e5134c3669e897ceca159cb8382964da7546ae28de15dcdc5ef847d00c4797e2794abfecc525e1e9122c491d7d509a0572c64

Download Submit
C:\Windows\7art Dinosaurs 2.scr

Filesize
1.8MB

MD5
3c2aeedc0ad26500f8024c805306f7d2

SHA1
63a767fcf5d7b66da46eeb57317a703e62b04e75

SHA256
b4f8c910d4503098532d44378b8ab25d3bafd806c156be1c4f93dc256c584ecf

SHA512
9b09dd2710a013be82c2ff744347ef497a19c8e2da5711e0918ec7e10ba8c6f519e491606904aeb0e1bf30dbcf6da03546440cc474f24e836496545c4dc38321

Download Submit
memory/1248-851-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1472-853-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1472-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-89-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/1872-88-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/2824-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2824-867-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2824-23-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3172-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3172-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3172-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3172-868-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6084-935-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download