simda | a36d6ebaf2797f68e6e8bbde6b4acc7ba6d8780ed4519057ffafcf149b4f4bcb

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Size

259KB
MD5

e85b3594ce638ff4a027cc7baecf1bfa
SHA1

cb8ff1b8722a819aed670d2a4edb97ea03a97c65
SHA256

a36d6ebaf2797f68e6e8bbde6b4acc7ba6d8780ed4519057ffafcf149b4f4bcb
SHA512

c2ca5f8fb9862fa1ab3b86d63a03f3ceff9d9b10c6d44eb6b8bc7bc2d0d08e2a9d16632498979c87f5e4d5561e17d8fcbded6ef141e252ec14b936604e03839f
SSDEEP

6144:iyK4+vW9EnkxPWu9oYUkZYeLoerbZP4sdA9hmEPpW5rpH:FK99kPWqBU0LDrNgsdA9hFPW9

Score

10^/10

simda adware discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

simda

Attributes

dga
cihunemyror.eu

digivehusyd.eu

vofozymufok.eu

fodakyhijyv.eu

nopegymozow.eu

gatedyhavyd.eu

marytymenok.eu

jewuqyjywyv.eu

qeqinuqypoq.eu

kemocujufys.eu

rynazuqihoj.eu

lyvejujolec.eu

tucyguqaciq.eu

xuxusujenes.eu

puzutuqeqij.eu

ciliqikytec.eu

dikoniwudim.eu

vojacikigep.eu

fogeliwokih.eu

nofyjikoxex.eu

gadufiwabim.eu

masisokemep.eu

jepororyrih.eu

qetoqolusex.eu

keraborigin.eu

ryqecolijet.eu

lymylorozig.eu

tunujolavez.eu

xubifaremin.eu

puvopalywet.eu

cicaratupig.eu

dixemazufel.eu

volebatijub.eu

fokyxazolar.eu

nojuletacuf.eu

gahihezenal.eu

magofetequb.eu

jefapexytar.eu

qederepuduf.eu

kepymexihak.eu

rytuvepokuv.eu

lyruxyxaxaw.eu

tuwikypabud.eu

xuqohyxeqak.eu

pumadypyruv.eu

cinepycusaw.eu

divywysigud.eu

vocumucokaj.eu

foxivusozuc.eu

nozoxucavaq.eu

galokusemus.eu

makagucyraj.eu

jejedudupuc.eu

qegytuvufoq.eu

kefuwidijyp.eu

rydinivoloh.eu

lysovidacyx.eu

tupazivenom.eu

xutekidywyp.eu

puregivytoh.eu

ciqydofudyx.eu

dimutobihom.eu

voniqofolyt.eu

fobonobaxog.eu

novacofebyz.eu

gacezobeqon.eu

maxyjofytyt.eu

jeluganusog.eu

qekusagigyz.eu

kejitanokon.eu

ryhoqagoxyr.eu

lygananavof.eu

tufecagemyl.eu

xudylenyrob.eu

pupujeguper.eu

citifemifif.eu

dirosehijel.eu

voworemoziv.eu

foqaqehacew.eu

nomebemenid.eu

ganycyhywek.eu

mavulymupiv.eu

jecijyjudew.eu

qexofyqihid.eu

kezapyjolek.eu

ryleryqacic.eu

lykemujebeq.eu

tujybuqeqis.eu

xuguxujytej.eu

pufiluqudic.eu

cidohukigeq.eu

disafuwokis.eu

vopepukaxej.eu

fotyriwavix.eu

norumikemem.eu

gaquviwyrup.eu

mamixikusah.eu

jenokirifux.eu

qebahilojam.eu

kevedorozup.eu

rycypolavag.eu

lyxuworenuz.eu

tulimolywan.eu

xukovoruput.eu

pujoxolufag.eu

cihakotihuz.eu

digegazolan.eu

vofydatacut.eu

fodutazenaf.eu

nopiwatyqul.eu

gatonazytab.eu

maravatudur.eu

jewezexigaf.eu

qeqekepokul.eu

kemygexaxab.eu

rynudepebur.eu

lyvitexemod.eu

tucoqepyryk.eu

xuxanexusov.eu

puzecypigyw.eu

cilyzycojod.eu

dikujysozyk.eu

vojugycavov.eu

fogisysemyq.eu

nofotycywos.eu

gadaqusupyj.eu

masenucifoc.eu

jepycudijyq.eu

qetuluvolos.eu

kerijudacyj.eu

ryqofuvenoc.eu

lymosudyqym.eu

tunarivutop.eu

xubeqidudyh.eu

puvybivihox.eu

cicucifokym.eu

dixilibaxop.eu

volojifebeh.eu

fokafobeqix.eu

nojepofyren.eu

gaherobusit.eu

magymofigeg.eu

jefubonokiz.eu

qedixogazen.eu

kepolonavit.eu

rytahagemeg.eu

lyrefanyril.eu

tuwypagupeb.eu

xuquranifir.eu

pumumagojef.eu

cinivamolil.eu

divoxehaceb.eu

vocakemenir.eu

foxehehywef.eu

nozydemutik.eu

galupehudev.eu

makiwemihiw.eu

jejomejoled.eu

qegovyqaxuk.eu

kefaxyjebav.eu

rydekyqyquw.eu

lysygyjytad.eu

tupudyqusuj.eu

xutityjigac.eu

purowuqokuq.eu

ciqanukaxas.eu

dimevuwevuj.eu

vonezukemac.eu

fobykuwyruq.eu

novugukupap.eu

gaciduwifuh.eu

maxotikojax.eu

jelaqirozum.eu

qekenilacap.eu

kejycirenuh.eu

ryhuzilywax.eu

lygujirupum.eu

tufigolidat.eu

xudosorihug.eu

pupatololoz.eu

citeqotacyn.eu

dirynozebot.eu

vowucotyqyg.eu

foqilozutoz.eu

nomojatudyn.eu

ganofazigor.eu

mavasatokyf.eu

jeceraxaxol.eu

qexyqapevyb.eu

kezubaxemor.eu

rylicepyryf.eu

lykolexusol.eu

tujajepifyv.eu

xugefexojow.eu

pufepepazyd.eu

cidyrecavok.eu

disumesenyv.eu

vopibycywow.eu

fotoxysupyd.eu

noralycifok.eu

gaqehysohec.eu

mamyfycoliq.eu

jenupydaces.eu

qeburuvenij.eu

kevimudyqec.eu

rycovuvutiq.eu

lyxaxududes.eu

tulekuvigij.eu

xukyhudokex.eu

pujuduvaxim.eu

cihipifebep.eu

digowibymih.eu

vofomifyrex.eu

fodavibusim.eu

nopexifigep.eu

gatykibojig.eu

marugofazez.eu

jewidonevin.eu

qeqotogemet.eu

kemawonywig.eu

rynenogupez.eu

lyvevonifun.eu

tucyzogojat.eu

xuxukanoluf.eu

puzigagacal.eu

cilodamenub.eu

dikatahyqar.eu

vojeqamutuf.eu

fogynahidal.eu

nofucemihub.eu

gaduzehokar.eu

masijemaxud.eu

jepogejebak.eu

qetaseqyquv.eu

keretejuraw.eu

ryqyqequsud.eu

lymunyjigak.eu

tunicyqokuv.eu

xubolyjazaq.eu

puvojyqevus.eu

cicafykemaj.eu

dixesywyruc.eu

volyrukupoq.eu

fokuquwifys.eu

nojibukojoj.eu

gahocuwalyc.eu

magalukacom.eu

jefejurenyp.eu

qedefulywoh.eu

kepypirutyx.eu

ryturilidom.eu

lyrimirohyp.eu

tuwobiloloh.eu

xuqaxiraxyx.eu

pumelilebon.eu

cinyhotyqyt.eu

divufozutog.eu

vocupotusyz.eu

foxirozigon.eu

nozomotokyt.eu

galavozaxog.eu

makexotevyl.eu

jejykaxymob.eu

qeguhapyrer.eu

kefidaxupif.eu

rydopapifel.eu

lysowaxojib.eu

tupamapazer.eu

xutevexecif.eu

puryxepenek.eu

ciqukecywiv.eu

dimigesupew.eu

vonodecidid.eu

fobatesohek.eu

novewecoliv.eu

gacenysacew.eu

maxyvycebid.eu

jeluzydyqej.eu

qekikyvutic.eu

kejogydideq.eu

ryhadyvigis.eu

lygetudokej.eu

tufyquvaxic.eu

xudunudeveq.eu

pupucuvymup.eu

citizufurah.eu

dirojubusux.eu

vowagufifam.eu

foqesibojup.eu

nomytifazah.eu

ganuqibevux.eu

mavinifenam.eu

jecocinywut.eu

qexoligupag.eu

kezajonifuz.eu

rylefogohan.eu

lykysonalut.eu

tujurogacag.eu

xugiqonenuz.eu

pufobogyqan.eu

cidacomutur.eu

diselahidaf.eu

vopejamogul.eu

fotyfahokab.eu

norupamaxur.eu

gaqirahebof.eu

mamomamymyl.eu

jenabejurov.eu

qebexequsyw.eu

kevylejigod.eu

rycuheqojyk.eu

lyxufejazov.eu

tulipeqevyw.eu

xukorejymod.eu

pujamyqywyk.eu

cihevykupoc.eu

digyxywifyq.eu

vofukykojos.eu

fodihywalyj.eu

nopodykecoc.eu

gatopuwenyq.eu

marawukyqos.eu

jewemurutyj.eu

qeqyvulidox.eu

kemuxurohym.eu

rynikulokop.eu

lyvoguraxeh.eu

tucadilebix.eu

xuxetiryqem.eu

puzewilurip.eu

cilynitiseg.eu

dikuvizigiz.eu

vojizitoken.eu

fogokozazit.eu

nofagoteveg.eu

gadedozymiz.eu

masytoturen.eu

jepuqoxupit.eu

qetunopifef.eu

kericoxojil.eu

ryqozapaleb.eu

lymajaxecir.eu

tunegapenef.eu

xubysaxywil.eu

puvutaputeb.eu

ciciqacidir.eu

dixonesohed.eu

volocecaluk.eu

fokalesaxav.eu

nojejecebuw.eu

gahyfesyqad.eu

magusecutuk.eu

jefiredisav.eu

qedoqyvoguq.eu

kepabydokas.eu

rytecyvaxuj.eu

lyrelydevac.eu

tuwyjyvymuq.eu

xuqufyduras.eu

pumipuvupuj.eu

cinorufifac.eu

divamubojum.eu

vocebufazap.eu

foxyxubecuh.eu

nozulufynax.eu

galuhubywum.eu

makififupap.eu

jejopiniduh.eu

qegarigohox.eu

kefeminalyn.eu

rydyvigecot.eu

lysuxinebyg.eu

tupikogyqoz.eu

xutohonutyn.eu

purodogidot.eu

ciqapomogyg.eu

dimewohokol.eu

vonymomaxyb.eu

fobuvohevor.eu

novixamymyf.eu

gacokahurol.eu

maxagamisyb.eu

jeledajifor.eu

qeketaqojyf.eu

kejywajazok.eu

ryhuneqevyv.eu

lygivejynow.eu

tufozequwyd.eu

xudakejupok.eu

pupegeqifev.eu

citydekohiw.eu

dirutewaled.eu

vowuqykecij.eu

foqinywenec.eu

nomocykyqiq.eu

ganazywutes.eu

mavejykidij.eu

jecygyrogec.eu

qexusulakiq.eu

kezituraxep.eu

ryloqulebih.eu

lykonurymex.eu

tujaculurim.eu

xugelurisep.eu

pufyjulogih.eu

cidufitojex.eu

disisizazim.eu

voporitevet.eu

fotaqizymig.eu

norebituwez.eu

gaqecizupun.eu

mamylotifat.eu

jenujoxojug.eu

qebifopalaz.eu

kevopoxecun.eu

rycaropynar.eu

lyxemoxyquf.eu

tulyboputal.eu

xukuxaxidub.eu

pujulapohar.eu

cihihacakuf.eu

digofasexal.eu

vofapacebuv.eu

foderasyqaw.eu

nopymecurud.eu

gatuvesisak.eu

marixecoguv.eu

jewokedokaw.eu

qeqohevazud.eu

kemadedevak.eu

rynepevymuc.eu

lyvywyduroq.eu

tucumyvipys.eu

xuxivydifoj.eu

puzoxyvojyc.eu

cilakyfaloq.eu

dikegybecys.eu

vojedufynoj.eu

fogytubuwyx.eu

nofuwufutom.eu

gadinubidyp.eu

masovufohoh.eu

jepazunalyx.eu

qetekugexom.eu

keryginebyp.eu

ryqudigyqog.eu

lymutinutyz.eu

tuniqigison.eu

xuboninogyt.eu

puvacigakog.eu

cicezomaxyz.eu

dixyjohevon.eu

volugomymet.eu

fokisohurif.eu

nojotomipel.eu

gahoqohofib.eu

maganomojer.eu

jefecajazif.eu

qedylaqecel.eu

kepujajynib.eu

rytifaquwer.eu

lyrosajupid.eu

tuwaraqidek.eu

xuqeqejohiv.eu

pumebeqalew.eu

cinycekecid.eu

divulewybek.eu

vocijekyqiv.eu

foxofewuteq.eu

nozapekidis.eu

galerywogej.eu

makymykakic.eu

jejubyrexeq.eu

qeguxylevus.eu

kefilyrymaj.eu

rydohyluruc.eu

lysafurisam.eu

tupepulofup.eu

xutyrurojah.eu

purumulazux.eu

ciqivutevam.eu

dimoxuzynup.eu

vonokutuwah.eu

fobahizipux.eu

noveditifan.eu

gacypizohut.eu

maxuwitalag.eu

jelimixecuz.eu

qekovipynan.eu

kejaxoxuqut.eu

ryhekoputag.eu

lygegoxidul.eu

tufydopogab.eu

xudutoxakur.eu

pupiwopexof.eu

citonocebyl.eu

diravasymob.eu

vowezacuryr.eu

foqykasisof.eu

nomugacogyk.eu

ganudasajov.eu

mavitacazyw.eu

jecoqedevod.eu

qexanevymyk.eu

kezeceduwov.eu

rylyzevipyw.eu

lykujedofod.eu

tujigevojyj.eu

xugosedaloc.eu

pufotyvecyq.eu

cidaqyfynos.eu

disenybuqyj.eu

vopycyfutoc.eu

fotulybidyq.eu

norijyfohop.eu

gaqofubakeh.eu

mamasufexix.eu

jenerunybem.eu

qebequgyqip.eu

kevybunureh.eu

rycucugisix.eu

lyxilunogem.eu

tulojigakit.eu

xukafinezeg.eu

pujepigeviz.eu

cihyrimymen.eu

digumihurit.eu

vofubimipeg.eu

fodixohofiz.eu

nopolomojen.eu

gatahohalir.eu

marefomecef.eu

jewypojynil.eu

qequroquweb.eu

kemimojitir.eu

rynovaqidef.eu

lyvoxajohul.eu

tucakaqalav.eu

xuxehajexuw.eu

puzydaqybad.eu

cilupakuquk.eu

dikiwewutav.eu

vojomekisuw.eu

fogavewogad.eu

nofexekakuk.eu

gadekewexac.eu

masygekevuq.eu

jepuderymas.eu

qetityluruj.eu

kerowyripac.eu

ryqanylofuq.eu

lymevyrajas.eu

tunyzylazuj.eu

xubukyrecax.eu

puvugulynum.eu

cicidutuwap.eu

dixotuzipuh.eu

volaqutodox.eu

fokenuzohym.eu

nojycutalop.eu

gahuzuzecyg.eu

magijityboz.eu

jefogixuqyn.eu

qedosiputot.eu

kepatixidyg.eu

ryteqipogoz.eu

lyrynixakyn.eu

tuwucopexot.eu

xuqiloxyvyf.eu

pumojopymol.eu

cinafocuryb.eu

divesosisor.eu

vocerocofyf.eu

foxyqosajol.eu

nozubacezyb.eu

galicasevor.eu

makolacynyd.eu

jejajaduwok.eu

qegefavipev.eu

kefypadofiw.eu

rydurevohed.eu

lysumedalik.eu

tupibevecev.eu

xutoxedyniq.eu

puralevuqes.eu

ciqehefitij.eu

dimyfebidec.eu

vonupyfogiq.eu

fobirybakes.eu

novomyfexij.eu

gacovybybec.eu

maxaxyfumim.eu

jelekynurep.eu

qekyhugisih.eu

kejudunogex.eu

ryhipugajim.eu

lygowunezep.eu

tufamugevih.eu

xudevunymex.eu

pupexuguwun.eu

citykimipat.eu

dirugihofug.eu

vowidimajaz.eu

foqotihalun.eu

nomawimecat.eu

ganenihynug.eu

mavyvomuqal.eu

jecuzojitub.eu

qexukoqodar.eu

kezigojohuf.eu

rylodoqakal.eu

lykatojexub.eu

tujeqoqybar.eu

xugynajuquf.eu

pufucaqurak.eu

cidizakisuv.eu

disojawogaw.eu

vopogakakud.eu

fotasawezak.eu

noretekyvuv.eu

gaqyqewymow.eu

mamunekuryd.eu

jeniceripoj.eu

qebolelofyc.eu

kevajerajoq.eu

rycefelelys.eu

lyxesyrecoj.eu

tulyrylynyc.eu

xukuqyruwoq.eu

pujibylityp.eu

cihocytodoh.eu

digalyzohyx.eu

vofejutalom.eu

fodyfuzexyp.eu

nopuputyboh.eu

gaturuzuqyx.eu

marimutitom.eu

jewobuxisyt.eu

qeqaxupogog.eu

kemelixakyz.eu

rynyhipexon.eu

lyvufixyvet.eu

tucipipumig.eu

xuxorixurez.eu

puzomipipin.eu

cilavocofer.eu

dikexosajif.eu

vojykocezel.eu

foguhosecib.eu

nofidocyner.eu

gadoposuwif.eu

masawocipel.eu

jepemadodiv.eu

qetevavahew.eu

keryxadalid.eu

ryqukavecek.eu

lymigadybiv.eu

tunodavuqew.eu

xubateditid.eu

puvewevodek.eu

cicynefogic.eu

dixuvebakeq.eu

voluzefexus.eu

fokikebyvaj.eu

nojogefumuc.eu

gahadyburaq.eu

magetyfisus.eu

jefyqynofaj.eu

qedunygajux.eu

kepicynezam.eu

rytozygyvup.eu

lyrojunynah.eu

tuwaguguwux.eu

xuqesunipam.eu

pumytugofup.eu

cinuqumahag.eu

divinuheluz.eu

vococumecan.eu

foxalihynut.eu

nozejimuqag.eu

galefihituz.eu

makysimodan.eu

jejurijogut.eu

qegiqiqakof.eu

kefobojexyl.eu

rydacoqybob.eu

lyselojumyr.eu

tupyjoqirof.eu

xutufojisyl.eu

purupoqogob.eu

ciqirokajyr.eu

dimomawezod.eu

vonabakyvyk.eu

fobexawumov.eu

novylakuwyw.eu

gacuhawipod.eu

maxifakofyk.eu

jeloperajov.eu

qekorelelyq.eu

kejamerecos.eu

ryhevelynyj.eu

lygyxeruqoc.eu

tufukelityq.eu

xudiherodos.eu

pupodylahej.eu

citapytakic.eu

direwyzexem.eu

vowemytybip.eu

foqyvyzuqeh.eu

nomuxytirix.eu

ganikuzosem.eu

mavogutogip.eu

jecaduxakeh.eu

qexetupezix.eu

kezywuxyven.eu

rylunupumit.eu

lykuvuxureg.eu

tujizipipiz.eu

xugokixofen.eu

pufagipajit.eu

cidediceleg.eu

disytisycil.eu

vopuqicyneb.eu

fotinosuwir.eu

norococitef.eu

gaqozosodul.eu

mamajocahab.eu

jenegodelur.eu

qebysovexaf.eu

kevutodybuk.eu

ryciqavuqav.eu

lyxonadituw.eu

tulacavosad.eu

xukeladoguk.eu

pujejavakav.eu

cihyfafexuw.eu

digusebyvad.eu

vofirefumuj.eu

fodoqebirac.eu

nopabefipuq.eu

gatecebofas.eu

marylefajuj.eu

jewujenezac.eu

qequfygycuq.eu

kemipynunap.eu

rynoryguwuh.eu

lyvamynipox.eu

tucebygodym.eu

xuxyxynahop.eu

puzulugelyh.eu

cilihumecox.eu

dikofuhybym.eu

vojopumuqot.eu

fogaruhityg.eu

nofemumodoz.eu

gadyvuhagyn.eu

masuximakot.eu

jepikijexyg.eu

qetohiqyvoz.eu

keradijumyn.eu

ryqepiqiror.eu

lymewijosyf.eu

tunymoqofol.eu

xubuvojajyb.eu

puvixoqezor.eu

cicokokyvyf.eu

dixagowunol.eu

voledokuwev.eu

fokytowipiw.eu

nojuwakofed.eu

gahunawahik.eu

magivakelev.eu

jefozaryciw.eu

qedakalyned.eu

kepegaruqik.eu

rytydelitec.eu

lyruterodiq.eu

tuwiqelages.eu

xuqonerekij.eu

pumocelexec.eu

cinazetybiq.eu

divejezumes.eu

vocygytirij.eu

foxusyzosex.eu

nozitytogim.eu

galoqyzajep.eu

makanytezih.eu

jejecyxyvex.eu

qegelupumum.eu

kefyjuxiwap.eu

rydufupipug.eu

lysisuxofaz.eu

tuporupajun.eu

xutaquxelat.eu

purebupycug.eu

ciqycicunaz.eu

dimulisuqun.eu

vonujicitat.eu

fobifisoduf.eu

novopicahal.eu

gacarisekub.eu

maxemocexar.eu

jelybodybuf.eu

qekuxovuqal.eu

kejilodirub.eu

ryhohovosar.eu

lygofodagud.eu

tufapovakak.eu

xuderadezuv.eu

pupymavyvow.eu

cituvafumyd.eu

dirixabirok.eu

vowokafopyv.eu

foqahabofoq.eu

nomedefajys.eu

ganepebeloj.eu

mavywefycyc.eu

jecumenunoq.eu

qexiveguwys.eu

kezoxenitoj.eu

rylakegodyc.eu

lykegynahom.eu

tujydygelyp.eu

xugutynyxoh.eu

pufuwygybyx.eu

cidinymuqom.eu

disovyhityp.eu

vopazumosoh.eu

fotekuhagyx.eu

norygumekon.eu

gaquduhexet.eu

mamitumyvig.eu

jenoqujumez.eu

qebonuqirin.eu

kevacijopet.eu

ryceziqofig.eu

lyxyjijajel.eu

tulugiqezib.eu

xukisijycer.eu

pujotiqunif.eu

cihaqokiwel.eu

digenowipib.eu

vofecokoder.eu

fodylowahif.eu

nopujokelek.eu

gatifowyciv.eu

marosokubew.eu

jewararuqid.eu

qeqeqalitek.eu

kemybarodiv.eu

rynucalagew.eu

lyvularekud.eu

tucijalexaj.eu

xuxoferyvuc.eu

puzapelumaq.eu

cileretirus.eu

dikymezosaj.eu

vojubetafuc.eu

fogixezajaq.eu

nofoletezup.eu

gadohyzyvah.eu

masafytunux.eu

jepepyxiwam.eu

qetyrypopup.eu

kerumyxofah.eu

ryqivypahux.eu

lymoxuxelam.eu

tunakupycut.eu

xubehuxunag.eu

puvedupuquz.eu

cicypucitan.eu

dixuwusodut.eu

volimucagog.eu

fokovisekyz.eu

nojaxicyxon.eu

gahekisybyr.eu

magygicumof.eu

jefudidiryl.eu

qedutivosob.eu

kepiwodagyr.eu

rytonovejof.eu

lyravodezyl.eu

tuwezovyvov.eu

xuqykodumyw.eu

pumugoviwod.eu

cinidofopyk.eu

divotabofov.eu

vocoqafajyw.eu

foxanabelod.eu

nozecafycyk.eu

galyzabunoc.eu

makujafiqyq.eu

jejigenitos.eu

qegosegodej.eu

kefatenahic.eu

rydeqegekeq.eu

lysenenyxis.eu

tupycegubej.eu

xutulenuqix.eu

purijygirem.eu

ciqofymosip.eu

dimasyhageh.eu

vonerymekix.eu

fobyqyhezem.eu

novubymyvip.eu

gacucuhumeg.eu

maxilumiriz.eu

jelojujopen.eu

qekafuqafit.eu

kejepujajeg.eu

ryhyruqeliz.eu

lygumujycen.eu

tufibiqunit.eu

xudoxijiwef.eu

pupoliqotul.eu

citahikodab.eu

direfiwahur.eu

vowypikelaf.eu

foqurowyxul.eu

nomimokubab.eu

ganovowuqur.eu

mavaxokitad.eu

jecekorosuk.eu

qexeholagav.eu

kezydorekuw.eu

rylupalyxad.eu

lykiwaryvuk.eu

tujomalumav.eu

xugavariruq.eu

pufexalopas.eu

cidykatafuj.eu

disugezejac.eu

vopudetezuq.eu

fotitezycas.eu

norowetunuj.eu

gaqaneziwoc.eu

mamevetopym.eu

jenyzexodop.eu

qebukypahyh.eu

kevigyxelox.eu

rycodypycym.eu

lyxotyxubop.eu

tulaqypiqyh.eu

xukenyxitox.eu

pujycupodyn.eu

cihuzucagot.eu

digijusekyg.eu

vofogucyxoz.eu

fodasusuvyn.eu

nopetucumot.eu

gatequsiryg.eu

marynicosol.eu

jewucidafyb.eu

qeqilivejor.eu

kemojidezyf.eu

rynafivyvol.eu

lyvesiduneb.eu

tucyroviwir.eu

xuxuqodopef.eu

puzubovafik.eu

cilicofahev.eu

dikolobeliw.eu

vojajofyced.eu

fogefobunik.eu

nofypafiqev.eu

gadurabotiw.eu

masimafoded.eu

jepobanagij.eu

qetoxagekec.eu

keralanyxiq.eu

ryqehegubes.eu

lymyfenumij.eu

tunupegirec.eu

xubirenosiq.eu

puvomegagep.eu

cicavemejih.eu

dixexehyzex.eu

volekymyvum.eu

fokyhyhumap.eu

nojudymiwuh.eu

gahipyhopax.eu

magowymafum.eu

jefamyjejat.eu

qedevuqelug.eu

kepyxujycaz.eu

rytukuqunun.eu

lyrugujiqat.eu

tuwiduqotug.eu

xuqotujodaz.eu

pumawuqahun.eu

cinenikekar.eu

divyviwyxuf.eu

vocuzikubal.eu

foxikiwiqub.eu

nozogikirar.eu

galodiwosuf.eu

makatokagal.eu

jejeqorekuv.eu

qegynolyzow.eu

kefucoruvyd.eu

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE,"	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe

Simda family
simda
simda
Simda is an infostealer written in C++.
stealer trojan simda

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
337	2004	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
3584	setup.exe
4928	setup.exe
1824	setup.exe
3300	setup.exe
4032	setup.exe
348	setup.exe
4640	setup.exe
4728	setup.exe
1440	setup.exe
4560	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cfdef843 = "\u009d\x04†iå‰Î$\u0081vOðçtªÌZ¿’“\x06\x1a—û\r\u009d\\Ö ñó°‡3"	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\es-419.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\135e1ac9-5524-4d7e-ac89-10966618622e.tmp	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe	MicrosoftEdge_X64_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-GB.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\SETUP.EX_	MicrosoftEdge_X64_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3584_13383766284213103_3584.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\msedge.hollow.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fi.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2124	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe\""	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpCleanupState = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Token: SeSecurityPrivilege	2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Token: SeSecurityPrivilege	2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Token: SeSecurityPrivilege	2176	JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
Token: 33	3584	setup.exe
Token: SeIncBasePriorityPrivilege	3584	setup.exe
Token: SeDebugPrivilege	380	wwahost.exe
Token: SeDebugPrivilege	380	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
380	wwahost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 3584	900	MicrosoftEdge_X64_132.0.2957.140.exe	96
PID 900 wrote to memory of 3584	900	MicrosoftEdge_X64_132.0.2957.140.exe	96
PID 3584 wrote to memory of 4928	3584	setup.exe	97
PID 3584 wrote to memory of 4928	3584	setup.exe	97
PID 3584 wrote to memory of 1824	3584	setup.exe	98
PID 3584 wrote to memory of 1824	3584	setup.exe	98
PID 1824 wrote to memory of 3300	1824	setup.exe	99
PID 1824 wrote to memory of 3300	1824	setup.exe	99
PID 3584 wrote to memory of 4032	3584	setup.exe	100
PID 3584 wrote to memory of 4032	3584	setup.exe	100
PID 3584 wrote to memory of 348	3584	setup.exe	101
PID 3584 wrote to memory of 348	3584	setup.exe	101
PID 4032 wrote to memory of 4640	4032	setup.exe	102
PID 4032 wrote to memory of 4640	4032	setup.exe	102
PID 3584 wrote to memory of 4728	3584	setup.exe	103
PID 3584 wrote to memory of 4728	3584	setup.exe	103
PID 348 wrote to memory of 1440	348	setup.exe	104
PID 348 wrote to memory of 1440	348	setup.exe	104
PID 4728 wrote to memory of 4560	4728	setup.exe	105
PID 4728 wrote to memory of 4560	4728	setup.exe	105

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e85b3594ce638ff4a027cc7baecf1bfa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUUyRjZCRTktMzZCMy00QzlFLUE1QTUtQTA4MzI4MTBGMEZGfSIgdXNlcmlkPSJ7NzAzQTJFRDQtNzgyNS00NDZFLTk0RTAtMkVCQjg1NTcwMTI5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUMwNDUzQTUtMDQ2MS00OTlFLUFDQjktRjVDNTEzNDc2QkVGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjEzNTAxNjExIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2124

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:900
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3584
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6037ea818,0x7ff6037ea824,0x7ff6037ea830
    3⤵
    - Executes dropped EXE
    PID:4928
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6037ea818,0x7ff6037ea824,0x7ff6037ea830
      4⤵
      Executes dropped EXE
      PID:3300
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79bc6a818,0x7ff79bc6a824,0x7ff79bc6a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79bc6a818,0x7ff79bc6a824,0x7ff79bc6a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1440
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79bc6a818,0x7ff79bc6a824,0x7ff79bc6a830
      4⤵
      Executes dropped EXE
      PID:4560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:2688

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:3116

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EECCB076-10E1-4F6F-AC85-79AE84AEE3B1}\EDGEMITMP_A9977.tmp\setup.exe

Filesize
6.6MB

MD5
b4c8ad75087b8634d4f04dc6f92da9aa

SHA1
7efaa2472521c79d58c4ef18a258cc573704fb5d

SHA256
522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

SHA512
5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.7MB

MD5
3646786aea064c0845f5bb1b8e976985

SHA1
a31ba2d2192898d4c0a01511395bdf87b0e53873

SHA256
a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

SHA512
145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

Download Submit
C:\Program Files\msedge_installer.log

Filesize
70KB

MD5
7f21c78925c91bf717f0f05930de7385

SHA1
dff1353dff160633d1c87fcd4c81f39b26e52492

SHA256
ded40dfda5d7f99f55b9f02a1049e538251698b34fef19a38161f31715ee647c

SHA512
fe4fc673cd5dcaea4a5fc973c5279836b855ae8eab232a01fc5f966db60daeb99e82c2051158147914fc04a7cc74a0dd2fcb8919c7ca3dd7864a7c74636a2e8a

Download Submit
C:\Program Files\msedge_installer.log

Filesize
96KB

MD5
bb5a95e3b220d44fa2692d662d1a2f10

SHA1
3cbf4599f9e05670e2823abfbc6c03c6238b9c64

SHA256
611118822e0e8090809165f97e2429c2d5b023a8dfcbb878ea10cba3ad3a13b9

SHA512
9e711fcf4ec3c1b17e214aff7c6e92648689bec38b7cb6aa37ec74fc228ac362b0a56e73770ec5815149b71edf1608bb464bc350aaaf08b7ce2eada864ac1959

Download Submit
C:\Program Files\msedge_installer.log

Filesize
101KB

MD5
e983624e4b87a8979cabc4a87bf38da6

SHA1
eecc6600cbcd4d081d499d89eda4f69a8d4eec84

SHA256
1d946e7ef35cfc67f1f07f411ca80f39c01e17b2dbc8d5c6f922a9685e6938e2

SHA512
db254da96b5f414895ad40d203d63a542eecc01c0e1bdeb68b354e80802a6579eae05e5deb160314a5dbb2ea518f92d9cdad751bc971006c30d6531a1753308f

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
07576d0500ac9b6eec02b7fbda25c2e0

SHA1
532da26dae0c4ec1d09f597b28c7fedf9df99ac6

SHA256
0cb7001f97da50d608407abbc2966626cb5e15604e84437c6b55c9940cf5f5cc

SHA512
dd4ad554b5e6982ca208ecf906568f0289e1e6a86dcff9f1b76ebaedcf96898d944cfa3b02f0723915b6f61ee9e696c5dd0e9d33051781635c3f1f227eb1a248

Download Submit
memory/2176-92-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-62-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-5-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-7-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-9-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-88-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-118-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-117-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-116-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-115-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-87-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-113-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-112-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-111-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-110-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-109-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-108-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-107-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-106-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-105-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-104-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-103-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-102-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-101-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-99-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-98-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-97-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-96-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-95-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-89-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-93-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-3-0x0000000002080000-0x0000000002132000-memory.dmp

Filesize
712KB

Download
memory/2176-91-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-90-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-94-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2176-114-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-86-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-85-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-83-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-82-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-81-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-80-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-79-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-78-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-77-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-76-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-75-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-74-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-73-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-72-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-71-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-70-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-68-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-66-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-67-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-65-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-63-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-100-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-0-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/2176-84-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-69-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-64-0x00000000026B0000-0x0000000002768000-memory.dmp

Filesize
736KB

Download
memory/2176-127-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/2176-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-261-0x000002B1260E0000-0x000002B1260EE000-memory.dmp

Filesize
56KB

Download
memory/3116-262-0x000002B126590000-0x000002B12659A000-memory.dmp

Filesize
40KB

Download
memory/3116-263-0x000002B1265C0000-0x000002B1265C8000-memory.dmp

Filesize
32KB

Download
memory/3116-264-0x000002B140A00000-0x000002B140C49000-memory.dmp

Filesize
2.3MB

Download