cycbot | fccda9ebd2b3b446b713a5754b7d5a70e47f361c0ac457d7529fadd83dfac910

Analysis

max time kernel
50s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
Size

276KB
MD5

00c58b602603b7469c27d35bdfba2a56
SHA1

2ad6873ce069613bf75d182baa5b4af1b5b94755
SHA256

fccda9ebd2b3b446b713a5754b7d5a70e47f361c0ac457d7529fadd83dfac910
SHA512

848b1ae747e6887cce8b7ec92a3aa58fb8bceb8debac2192897cc901b952dd85d03869b298574979601103d8a9ac7ab1c0910a8b5f6eba1ba229a29b0342be2b
SSDEEP

6144:qmYKhFqpD1EcbFFBJBU+iWrq/67IXn9Dhs2pzTJRP7Bi4Gpd:qRQUDfFFm+i2q/67Y9DuYzTJRP7U/

Score

10^/10

cycbot pony backdoor credential_access defense_evasion discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4652-13-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4652-15-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral2/memory/4236-19-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4652-124-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4708-126-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4652-731-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 1 IoCs

pid	Process
4196	867.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59B.exe = "C:\\Program Files (x86)\\LP\\F9DE\\59B.exe"	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4652-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4652-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4652-15-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/4236-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4236-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4236-19-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4652-124-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4708-126-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4652-731-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\F9DE\59B.exe	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
File opened for modification	C:\Program Files (x86)\LP\F9DE\59B.exe	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
File opened for modification	C:\Program Files (x86)\LP\F9DE\867.tmp	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	867.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "È stata selezionata la voce predefinita %1."	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{73DD4596-E3CD-461E-BF6B-99C9B5F9D07B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1040"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3412	msiexec.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	4276	explorer.exe
Token: SeCreatePagefilePrivilege	4276	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeCreatePagefilePrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	4076	explorer.exe
Token: SeCreatePagefilePrivilege	4076	explorer.exe
Token: SeShutdownPrivilege	4076	explorer.exe
Token: SeCreatePagefilePrivilege	4076	explorer.exe
Token: SeShutdownPrivilege	4076	explorer.exe
Token: SeCreatePagefilePrivilege	4076	explorer.exe
Token: SeShutdownPrivilege	4076	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
4276	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
4076	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2492	StartMenuExperienceHost.exe
4532	StartMenuExperienceHost.exe
1268	SearchApp.exe
4180	StartMenuExperienceHost.exe
3656	SearchApp.exe
4636	StartMenuExperienceHost.exe
3816	SearchApp.exe
4704	StartMenuExperienceHost.exe
4084	SearchApp.exe
2292	StartMenuExperienceHost.exe
2724	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4236	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	91
PID 4652 wrote to memory of 4236	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	91
PID 4652 wrote to memory of 4236	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	91
PID 4652 wrote to memory of 4708	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	104
PID 4652 wrote to memory of 4708	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	104
PID 4652 wrote to memory of 4708	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	104
PID 4652 wrote to memory of 4196	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	131
PID 4652 wrote to memory of 4196	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	131
PID 4652 wrote to memory of 4196	4652	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe	131

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4652
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe startC:\Users\Admin\AppData\Roaming\E001C\C41F9.exe%C:\Users\Admin\AppData\Roaming\E001C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c58b602603b7469c27d35bdfba2a56.exe startC:\Program Files (x86)\1C5F3\lvvm.exe%C:\Program Files (x86)\1C5F3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Program Files (x86)\LP\F9DE\867.tmp
  "C:\Program Files (x86)\LP\F9DE\867.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\F9DE\867.tmp

Filesize
97KB

MD5
9c85bd17493589b355bde43c7816e9df

SHA1
aadfffdf9f58ad9340af181513d9d9ae08f886c3

SHA256
c4985933ec39f9787a37466153497fb56d3dd43d49909c436362ef488d0587f8

SHA512
43a764d9c6681167f7bb393d526255390c3655bf2488e3b0ee0316e88f1d7dbecafaf22a34eb791a48ebbd2b0f1bd4d3cee06e7e82c2ab55d18c77af6e25ce59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
20e64b00088a9559c728a14e4531ffa3

SHA1
c9d7ab909a2ffb7dc79ae5090895b861c0de3196

SHA256
8432920aae7dd6cdc1a0faf4aae7cffc8042da0df9b634e06ab8c0651921630d

SHA512
c50b86cb7aa4198424e9420e18e511a8cec1de1b4380efa0dd6e147cb60b2fe59b5698ea27374a213d1ecbe579982b0ef7d53d121f370df874d073f4e71704b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
d25d9b9298eaf5e9ee630a243c278bb4

SHA1
34ef758ae2038ffe5ceead23f8b414f9babe0f30

SHA256
de5d51a45a60e130d21c62ea68605f667f26cd4d3ec78544e637fa3b0e464144

SHA512
cb7e5916f7f61281b6c07fc70a7bf70d5225be66446dd1e248a8e6be92e177ee0fb9d4ee48dff6a89552684fb88750c14d0a58e77738f2f287ff71a4db862128

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
1d9844b87ae5b536d727c2e3d481e52c

SHA1
81ecf43de51353b7a8aecef70a8d21d2acd6f485

SHA256
a887ee172c299e894c52e662a0f9f7044447ed9e1e549f33a4451684d6a88721

SHA512
4478ac6b5beb0e5bd939b56f78decc37a63564677af359c2a1fb54ed486fb4f6d92d5d3bd59e2eef42b3acbc4b741998c4362fc5f69e96664ac78684fe42100e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15

Filesize
36KB

MD5
0e2a09c8b94747fa78ec836b5711c0c0

SHA1
92495421ad887f27f53784c470884802797025ad

SHA256
0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

SHA512
61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

Filesize
36KB

MD5
ab0262f72142aab53d5402e6d0cb5d24

SHA1
eaf95bb31ae1d4c0010f50e789bdc8b8e3116116

SHA256
20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb

SHA512
bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2C1DWAXK\microsoft.windows[1].xml

Filesize
96B

MD5
e348d00fe7b19d8e8f6efc5cd8f3be59

SHA1
de85b87da07da2e4b4215ef312d318f1b329ca6e

SHA256
4ee26da36e3b7d5c9f14f2ed8d6c75c10434acec949dc6e550f176b9acb84dd7

SHA512
a0a9a671e08cb35904098426cf1b50a11d6a0c7be57f684f9808f5c953ac2732dd1f090c3d12260870056a1ee5f9097ad9872715c798fba196d7212a536afcbe

Download Submit
C:\Users\Admin\AppData\Roaming\E001C\C5F3.001

Filesize
996B

MD5
d30820db1842f6e767dcc5707415dd2e

SHA1
59348d3bb16d9aa5513c13069398b2899dc5e97e

SHA256
7cd9d5264a042bb575eacde47bd5ae15c7798c498ce716e60115f20f7279f61d

SHA512
6e4563564f51b9137a014283b5b8add40fe9bb8b22575b47dedcee06cef1286dd299eebc2401c2bfa1919189c4b5f9f296374b784f0c30f64aeb40e4d7b3c175

Download Submit
C:\Users\Admin\AppData\Roaming\E001C\C5F3.001

Filesize
600B

MD5
4e7887facb60c449a60e481eb822a8f5

SHA1
ebcc6e2688ff8e843d1293d66a7feeb7b7ca1fe0

SHA256
c3c1fbd4fa8392ee627f8c97d77ebf1266100a1475b3e0de8225d0735767bead

SHA512
ba0f1f176acd6eff5463cc346bb326a74271fd5e96d972d0561f75c820b83f5d77665f75e67a8c2e40ed953fb0c8151ef63665d454ef8d839e10644dbc85ef2c

Download Submit
C:\Users\Admin\AppData\Roaming\E001C\C5F3.001

Filesize
1KB

MD5
47c680208123b3ee1e3ebe3360338c16

SHA1
d935a178538c61d0d60dd9ab1cebc4870c1bb358

SHA256
96bcdab9e2f970bb166c6f9eb009b9c10cd3b8e5ce9f348a95bfd9e3532b9b52

SHA512
0978a9bb5de9946809e8e059eacfca6cf802c6c976167e289ab027fd260ab23832a4be087e98a13b7abffb779ce6fd32d0e992796040d264e5b11788027d4b06

Download Submit
memory/1036-297-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1268-334-0x00000241D3320000-0x00000241D3340000-memory.dmp

Filesize
128KB

Download
memory/1268-300-0x00000241D1F20000-0x00000241D2020000-memory.dmp

Filesize
1024KB

Download
memory/1268-298-0x00000241D1F20000-0x00000241D2020000-memory.dmp

Filesize
1024KB

Download
memory/1268-316-0x00000241D2F20000-0x00000241D2F40000-memory.dmp

Filesize
128KB

Download
memory/1268-303-0x00000241D2F60000-0x00000241D2F80000-memory.dmp

Filesize
128KB

Download
memory/1268-299-0x00000241D1F20000-0x00000241D2020000-memory.dmp

Filesize
1024KB

Download
memory/1852-1215-0x000001FECDC00000-0x000001FECDD00000-memory.dmp

Filesize
1024KB

Download
memory/1852-1230-0x000001FECEAE0000-0x000001FECEB00000-memory.dmp

Filesize
128KB

Download
memory/1852-1243-0x000001FECF100000-0x000001FECF120000-memory.dmp

Filesize
128KB

Download
memory/1852-1221-0x000001FECEB20000-0x000001FECEB40000-memory.dmp

Filesize
128KB

Download
memory/2404-914-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2684-1363-0x000002235EE00000-0x000002235EF00000-memory.dmp

Filesize
1024KB

Download
memory/2684-1364-0x000002235EE00000-0x000002235EF00000-memory.dmp

Filesize
1024KB

Download
memory/2684-1368-0x000002235FF60000-0x000002235FF80000-memory.dmp

Filesize
128KB

Download
memory/2684-1384-0x000002235FF20000-0x000002235FF40000-memory.dmp

Filesize
128KB

Download
memory/2724-925-0x0000023483560000-0x0000023483580000-memory.dmp

Filesize
128KB

Download
memory/2724-916-0x0000023482440000-0x0000023482540000-memory.dmp

Filesize
1024KB

Download
memory/2724-920-0x00000234835A0000-0x00000234835C0000-memory.dmp

Filesize
128KB

Download
memory/2724-939-0x0000023483970000-0x0000023483990000-memory.dmp

Filesize
128KB

Download
memory/2724-915-0x0000023482440000-0x0000023482540000-memory.dmp

Filesize
1024KB

Download
memory/3152-1073-0x0000022C3F5C0000-0x0000022C3F5E0000-memory.dmp

Filesize
128KB

Download
memory/3152-1068-0x0000022C3E300000-0x0000022C3E400000-memory.dmp

Filesize
1024KB

Download
memory/3152-1069-0x0000022C3E300000-0x0000022C3E400000-memory.dmp

Filesize
1024KB

Download
memory/3152-1083-0x0000022C3F580000-0x0000022C3F5A0000-memory.dmp

Filesize
128KB

Download
memory/3152-1095-0x0000022C3F990000-0x0000022C3F9B0000-memory.dmp

Filesize
128KB

Download
memory/3656-464-0x000001FB1F640000-0x000001FB1F740000-memory.dmp

Filesize
1024KB

Download
memory/3656-465-0x000001FB1F640000-0x000001FB1F740000-memory.dmp

Filesize
1024KB

Download
memory/3656-492-0x000001FB20B60000-0x000001FB20B80000-memory.dmp

Filesize
128KB

Download
memory/3656-479-0x000001FB20750000-0x000001FB20770000-memory.dmp

Filesize
128KB

Download
memory/3656-469-0x000001FB20790000-0x000001FB207B0000-memory.dmp

Filesize
128KB

Download
memory/3760-610-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/3816-629-0x000001FE8A2A0000-0x000001FE8A2C0000-memory.dmp

Filesize
128KB

Download
memory/3816-614-0x000001FE89400000-0x000001FE89500000-memory.dmp

Filesize
1024KB

Download
memory/3816-642-0x000001FE8A8C0000-0x000001FE8A8E0000-memory.dmp

Filesize
128KB

Download
memory/3816-612-0x000001FE89400000-0x000001FE89500000-memory.dmp

Filesize
1024KB

Download
memory/3816-617-0x000001FE8A2E0000-0x000001FE8A300000-memory.dmp

Filesize
128KB

Download
memory/3816-613-0x000001FE89400000-0x000001FE89500000-memory.dmp

Filesize
1024KB

Download
memory/3828-762-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3828-1361-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/4076-462-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/4084-780-0x00000233157E0000-0x0000023315800000-memory.dmp

Filesize
128KB

Download
memory/4084-794-0x0000023315DF0000-0x0000023315E10000-memory.dmp

Filesize
128KB

Download
memory/4084-768-0x0000023315A20000-0x0000023315A40000-memory.dmp

Filesize
128KB

Download
memory/4196-720-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4236-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4236-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4236-19-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4576-1212-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/4652-124-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4652-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4652-731-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4652-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4652-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4652-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4652-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4708-126-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4888-1066-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download