cycbot | 9cd557c6bb6fd67454124990b53ef8d5f3104da2d02e478703d9161f29cf3b64

Analysis

max time kernel
59s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
Size

278KB
MD5

b33af7b67bed451f95fbb60533cb6762
SHA1

6441e613b0fdb294f757130f3c3d9b819abe632a
SHA256

9cd557c6bb6fd67454124990b53ef8d5f3104da2d02e478703d9161f29cf3b64
SHA512

e86ef82372583170da1fc8ad863f307442dfd09f90ef147329fc92b70d357fab496a7ad91a82a1dd8bc09e83d9cab9206e3a46f42dd60f2dda9bd60874103aa0
SSDEEP

6144:gK85+7/CwuS0SEYNJD96eAVnUNXhQtgV/5SZo7tCYxsAiT3iBHX:gK85y9xKY7D/MUwtOcKxClAiTS1

Score

10^/10

cycbot pony backdoor credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1264-15-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3940-16-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral2/memory/3940-17-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3120-82-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3940-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3940-162-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3940-1066-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1984	4978.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7B5.exe = "C:\\Program Files (x86)\\LP\\C1BA\\7B5.exe"	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1264-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1264-12-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1264-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3940-16-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/3940-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3120-81-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3120-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3940-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3940-162-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3940-1066-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\C1BA\7B5.exe	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
File opened for modification	C:\Program Files (x86)\LP\C1BA\4978.tmp	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
File opened for modification	C:\Program Files (x86)\LP\C1BA\7B5.exe	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4978.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe
Token: SeCreatePagefilePrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3680	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3460	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe
3980	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
828	StartMenuExperienceHost.exe
4152	StartMenuExperienceHost.exe
1600	SearchApp.exe
4276	StartMenuExperienceHost.exe
4684	StartMenuExperienceHost.exe
2568	SearchApp.exe
2472	StartMenuExperienceHost.exe
3632	SearchApp.exe
2380	StartMenuExperienceHost.exe
3984	SearchApp.exe
2108	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1264	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	89
PID 3940 wrote to memory of 1264	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	89
PID 3940 wrote to memory of 1264	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	89
PID 3940 wrote to memory of 3120	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	102
PID 3940 wrote to memory of 3120	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	102
PID 3940 wrote to memory of 3120	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	102
PID 3940 wrote to memory of 1984	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	106
PID 3940 wrote to memory of 1984	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	106
PID 3940 wrote to memory of 1984	3940	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe	106

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe startC:\Users\Admin\AppData\Roaming\AA83B\6E6C1.exe%C:\Users\Admin\AppData\Roaming\AA83B
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b33af7b67bed451f95fbb60533cb6762.exe startC:\Program Files (x86)\3B153\lvvm.exe%C:\Program Files (x86)\3B153
  2⤵
  PID:3120
- C:\Program Files (x86)\LP\C1BA\4978.tmp
  "C:\Program Files (x86)\LP\C1BA\4978.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2324

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\C1BA\4978.tmp

Filesize
96KB

MD5
a5a8de31397ec7ea7d73fe0d7eaf4b74

SHA1
a75318e3568426a430575ae180319aa7af1e59bf

SHA256
9dff1eba4eaa64d0830fc56aee29ac7ea940c640845344e579699029cdd9089c

SHA512
a57b65a63b00c88452d7457a8b90104d8c5f6bca7d054cb6347e0ee10ac1e3fec3488b7bdf372ae45cc2fd153468590589d64c8d1f4fe2d689fe02a26a5e1138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
c01e07f7e6f2bc5c88a8299eeaced5d6

SHA1
6ca90ef25608d2047ad49bdd0cf64a4d31540580

SHA256
ded826dcf94f462bd7407f3db45687dcbb3e413fab40fb583ea036c2e4f985a8

SHA512
01f5dd7ad2bbc61104794360d8b319eea515a6bde4e531b59a5e9ad7a158f781d469a3d540379f3f122a3f2658b5ce4e2d153d32e23be64a3ce899d94f4fe0f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
e3047a410c63329ab6e88a4cf96640d0

SHA1
87d50157d8fdf1ee224fffe466c0036b206bdf24

SHA256
b9f6c8e1abe23b5179b9eec75cd58f09d8e73da38e1ce078cc1637e332a609e7

SHA512
c538ca1897c350924ca9d099313533e3245e68ac641d8b8db8edc627706d1c25fdb17a50fed091893b47196f8c7d6ee958955785470167a7bdcccf93ec0241e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
bd07773854a10fdcfb8f3a2bbb05e0ad

SHA1
44a3e9ad182244b90421aee3720cd056a0327698

SHA256
7d48b55b0a83039325adc366212dc30e27851bb38a5ec8543a9f16b460c68621

SHA512
2853eec168aadefbba5ba0ce0edf717d260823353ddd5a4aca46627c59351379363b9c7a52eefef0c1f222b9b4bc4b191c5f368186d3119479404fae408fe1e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2CFNWDLC\microsoft.windows[1].xml

Filesize
97B

MD5
539db492f33fccee9be530dd0bf34a46

SHA1
650b2a3583d6c9499b4ed73e9a5dca37f342a50e

SHA256
f6d425aad05b46e77b53e5737c85f4ceab6531e773ea87eb985754be5ec19999

SHA512
9328f2fa286b4a9ca6ae57ddd9fca0b1140e5f68a5e143fd8ae6ea212a1af5d7b6b2289c324fa9480ca8d2e6d3b0cf7115611a56a3a161c5ad2f988f6ae62a0a

Download Submit
C:\Users\Admin\AppData\Roaming\AA83B\B153.A83

Filesize
1KB

MD5
1e55839259121a8c93c4b05c164b33d6

SHA1
886f646dbc94ebaff6a247da3858e1435c6f45f3

SHA256
92efb5b81b753e6482cfa6b7f4ab85c0ad15933854b3f443653addb48516b428

SHA512
74e100952fd597cb2f9e3eeae15bd200186fc37999e3b0ba2f9d862e3a0e01cb0234d2926662ee42fe48f6f7c974be3257ff08e57b0ceb50c0bb2d39139121ff

Download Submit
C:\Users\Admin\AppData\Roaming\AA83B\B153.A83

Filesize
1KB

MD5
90160283c7cca9c407445ae80c4326cd

SHA1
c4b9c773b539aca72afc3973593afbbef76a7f72

SHA256
c1cca6c53d54b45aa34ef984d57174b983b9f2cf4180b2e53ed30a7e975ff819

SHA512
d17acaef89aedac1c5fe31120014352dbf5ddf2786db2a9dda0a47100cccc83dc1627e41ca35581d1a4e41996382a4368104327b877eccff18c4811fe0c19bb2

Download Submit
C:\Users\Admin\AppData\Roaming\AA83B\B153.A83

Filesize
600B

MD5
640354bb96a8f95163a788b826fe0130

SHA1
43c9642bee5b05798800dd401bbaa9b50b589bf9

SHA256
bac04b9bf7757ff209fbf917a2fb60928641730cafaf8cd5e5aa4558febb706d

SHA512
d5bf743d7e4778f990a871525e0a59aae238f3a44a83259ec2919932b586b1216edcd9758d7c4acbcdd88b899fd8b958af30df75fcfe2f058eedf45c33c86a91

Download Submit
C:\Users\Admin\AppData\Roaming\AA83B\B153.A83

Filesize
996B

MD5
6d12ff3c07f4d77f44d61182c41b53ff

SHA1
883b538baea15e1bf62ab6dc13b7faa4c4eb2507

SHA256
ccd80f70f07116fae7907da447441d17f133f9a64cf88f7621bf8a0094d42312

SHA512
4ced8ff466ef6de48160a18b44362f117b63698c9da16e38a48ba183281e3b6f971f25f331fe1fc681ce652d602d7d4dcfa02647f9dc922c6c9bf92135b06b02

Download Submit
memory/640-789-0x000001400DF00000-0x000001400E000000-memory.dmp

Filesize
1024KB

Download
memory/640-788-0x000001400DF00000-0x000001400E000000-memory.dmp

Filesize
1024KB

Download
memory/640-825-0x000001400F5C0000-0x000001400F5E0000-memory.dmp

Filesize
128KB

Download
memory/640-800-0x000001400EFB0000-0x000001400EFD0000-memory.dmp

Filesize
128KB

Download
memory/640-793-0x000001400F200000-0x000001400F220000-memory.dmp

Filesize
128KB

Download
memory/1264-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1264-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1264-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1316-1068-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1600-218-0x000001F7B59F0000-0x000001F7B5A10000-memory.dmp

Filesize
128KB

Download
memory/1600-205-0x000001F7B5A30000-0x000001F7B5A50000-memory.dmp

Filesize
128KB

Download
memory/1600-236-0x000001F7B5E00000-0x000001F7B5E20000-memory.dmp

Filesize
128KB

Download
memory/1600-200-0x000001F7B4A00000-0x000001F7B4B00000-memory.dmp

Filesize
1024KB

Download
memory/1600-201-0x000001F7B4A00000-0x000001F7B4B00000-memory.dmp

Filesize
1024KB

Download
memory/1984-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2020-1513-0x0000023401500000-0x0000023401600000-memory.dmp

Filesize
1024KB

Download
memory/2568-347-0x00000219A6EA0000-0x00000219A6EC0000-memory.dmp

Filesize
128KB

Download
memory/2568-359-0x00000219A6E60000-0x00000219A6E80000-memory.dmp

Filesize
128KB

Download
memory/2568-378-0x00000219A74C0000-0x00000219A74E0000-memory.dmp

Filesize
128KB

Download
memory/3120-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3120-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3120-81-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3188-1512-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/3632-501-0x000002034B7E0000-0x000002034B800000-memory.dmp

Filesize
128KB

Download
memory/3632-521-0x000002034BDF0000-0x000002034BE10000-memory.dmp

Filesize
128KB

Download
memory/3632-489-0x000002034BA20000-0x000002034BA40000-memory.dmp

Filesize
128KB

Download
memory/3680-1395-0x000001CEB4B90000-0x000001CEB4BB0000-memory.dmp

Filesize
128KB

Download
memory/3680-1374-0x000001CEB47C0000-0x000001CEB47E0000-memory.dmp

Filesize
128KB

Download
memory/3680-1370-0x000001CEB3700000-0x000001CEB3800000-memory.dmp

Filesize
1024KB

Download
memory/3680-1369-0x000001CEB3700000-0x000001CEB3800000-memory.dmp

Filesize
1024KB

Download
memory/3680-1385-0x000001CEB4780000-0x000001CEB47A0000-memory.dmp

Filesize
128KB

Download
memory/3680-199-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/3696-1228-0x00000229A86E0000-0x00000229A8700000-memory.dmp

Filesize
128KB

Download
memory/3696-1240-0x00000229A86A0000-0x00000229A86C0000-memory.dmp

Filesize
128KB

Download
memory/3696-1259-0x00000229A8CC0000-0x00000229A8CE0000-memory.dmp

Filesize
128KB

Download
memory/3776-1367-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/3784-786-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/3816-482-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3848-932-0x000001853C6C0000-0x000001853C6E0000-memory.dmp

Filesize
128KB

Download
memory/3848-927-0x000001853B760000-0x000001853B860000-memory.dmp

Filesize
1024KB

Download
memory/3848-928-0x000001853B760000-0x000001853B860000-memory.dmp

Filesize
1024KB

Download
memory/3848-952-0x000001853C680000-0x000001853C6A0000-memory.dmp

Filesize
128KB

Download
memory/3848-964-0x000001853CCA0000-0x000001853CCC0000-memory.dmp

Filesize
128KB

Download
memory/3940-1066-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3940-162-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3940-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3940-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3940-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3940-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3940-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3980-339-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3984-650-0x0000013831190000-0x00000138311B0000-memory.dmp

Filesize
128KB

Download
memory/3984-663-0x00000138317A0000-0x00000138317C0000-memory.dmp

Filesize
128KB

Download
memory/3984-634-0x0000013830300000-0x0000013830400000-memory.dmp

Filesize
1024KB

Download
memory/3984-639-0x00000138311D0000-0x00000138311F0000-memory.dmp

Filesize
128KB

Download
memory/4148-1221-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/4384-925-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4908-1104-0x0000026D4A020000-0x0000026D4A040000-memory.dmp

Filesize
128KB

Download
memory/4908-1090-0x0000026D49C20000-0x0000026D49C40000-memory.dmp

Filesize
128KB

Download
memory/4908-1075-0x0000026D49C60000-0x0000026D49C80000-memory.dmp

Filesize
128KB

Download
memory/4916-632-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download