simda | c48bfce49ba64436860fc58a821d165a6696ae76dbcf409a986119a94d0d6688

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Size

257KB
MD5

e983e7b9e6d848397029c2b2d73b7fcc
SHA1

b0f257d55001ae86c8032a9f9cac8612377c91c4
SHA256

c48bfce49ba64436860fc58a821d165a6696ae76dbcf409a986119a94d0d6688
SHA512

c67285178adbb2fe92509c7e778e1bbb224a3a0885975a0f55a0ac3de34a4c124fce69a129b569d9521680fca1a5f5cd4ba65304239b977942817b84ae83be0b
SSDEEP

6144:dgiD9CmFlaRUdduv9sZIUlfxryHfvau9hHoyrnETB2ebz:n9C3N2ZIUl4/njr8B2Yz

Score

10^/10

simda adware discovery persistence privilege_escalation stealer trojan upx

Malware Config

Extracted

Family

simda

Attributes

dga
cihunemyror.eu

digivehusyd.eu

vofozymufok.eu

fodakyhijyv.eu

nopegymozow.eu

gatedyhavyd.eu

marytymenok.eu

jewuqyjywyv.eu

qeqinuqypoq.eu

kemocujufys.eu

rynazuqihoj.eu

lyvejujolec.eu

tucyguqaciq.eu

xuxusujenes.eu

puzutuqeqij.eu

ciliqikytec.eu

dikoniwudim.eu

vojacikigep.eu

fogeliwokih.eu

nofyjikoxex.eu

gadufiwabim.eu

masisokemep.eu

jepororyrih.eu

qetoqolusex.eu

keraborigin.eu

ryqecolijet.eu

lymylorozig.eu

tunujolavez.eu

xubifaremin.eu

puvopalywet.eu

cicaratupig.eu

dixemazufel.eu

volebatijub.eu

fokyxazolar.eu

nojuletacuf.eu

gahihezenal.eu

magofetequb.eu

jefapexytar.eu

qederepuduf.eu

kepymexihak.eu

rytuvepokuv.eu

lyruxyxaxaw.eu

tuwikypabud.eu

xuqohyxeqak.eu

pumadypyruv.eu

cinepycusaw.eu

divywysigud.eu

vocumucokaj.eu

foxivusozuc.eu

nozoxucavaq.eu

galokusemus.eu

makagucyraj.eu

jejedudupuc.eu

qegytuvufoq.eu

kefuwidijyp.eu

rydinivoloh.eu

lysovidacyx.eu

tupazivenom.eu

xutekidywyp.eu

puregivytoh.eu

ciqydofudyx.eu

dimutobihom.eu

voniqofolyt.eu

fobonobaxog.eu

novacofebyz.eu

gacezobeqon.eu

maxyjofytyt.eu

jeluganusog.eu

qekusagigyz.eu

kejitanokon.eu

ryhoqagoxyr.eu

lygananavof.eu

tufecagemyl.eu

xudylenyrob.eu

pupujeguper.eu

citifemifif.eu

dirosehijel.eu

voworemoziv.eu

foqaqehacew.eu

nomebemenid.eu

ganycyhywek.eu

mavulymupiv.eu

jecijyjudew.eu

qexofyqihid.eu

kezapyjolek.eu

ryleryqacic.eu

lykemujebeq.eu

tujybuqeqis.eu

xuguxujytej.eu

pufiluqudic.eu

cidohukigeq.eu

disafuwokis.eu

vopepukaxej.eu

fotyriwavix.eu

norumikemem.eu

gaquviwyrup.eu

mamixikusah.eu

jenokirifux.eu

qebahilojam.eu

kevedorozup.eu

rycypolavag.eu

lyxuworenuz.eu

tulimolywan.eu

xukovoruput.eu

pujoxolufag.eu

cihakotihuz.eu

digegazolan.eu

vofydatacut.eu

fodutazenaf.eu

nopiwatyqul.eu

gatonazytab.eu

maravatudur.eu

jewezexigaf.eu

qeqekepokul.eu

kemygexaxab.eu

rynudepebur.eu

lyvitexemod.eu

tucoqepyryk.eu

xuxanexusov.eu

puzecypigyw.eu

cilyzycojod.eu

dikujysozyk.eu

vojugycavov.eu

fogisysemyq.eu

nofotycywos.eu

gadaqusupyj.eu

masenucifoc.eu

jepycudijyq.eu

qetuluvolos.eu

kerijudacyj.eu

ryqofuvenoc.eu

lymosudyqym.eu

tunarivutop.eu

xubeqidudyh.eu

puvybivihox.eu

cicucifokym.eu

dixilibaxop.eu

volojifebeh.eu

fokafobeqix.eu

nojepofyren.eu

gaherobusit.eu

magymofigeg.eu

jefubonokiz.eu

qedixogazen.eu

kepolonavit.eu

rytahagemeg.eu

lyrefanyril.eu

tuwypagupeb.eu

xuquranifir.eu

pumumagojef.eu

cinivamolil.eu

divoxehaceb.eu

vocakemenir.eu

foxehehywef.eu

nozydemutik.eu

galupehudev.eu

makiwemihiw.eu

jejomejoled.eu

qegovyqaxuk.eu

kefaxyjebav.eu

rydekyqyquw.eu

lysygyjytad.eu

tupudyqusuj.eu

xutityjigac.eu

purowuqokuq.eu

ciqanukaxas.eu

dimevuwevuj.eu

vonezukemac.eu

fobykuwyruq.eu

novugukupap.eu

gaciduwifuh.eu

maxotikojax.eu

jelaqirozum.eu

qekenilacap.eu

kejycirenuh.eu

ryhuzilywax.eu

lygujirupum.eu

tufigolidat.eu

xudosorihug.eu

pupatololoz.eu

citeqotacyn.eu

dirynozebot.eu

vowucotyqyg.eu

foqilozutoz.eu

nomojatudyn.eu

ganofazigor.eu

mavasatokyf.eu

jeceraxaxol.eu

qexyqapevyb.eu

kezubaxemor.eu

rylicepyryf.eu

lykolexusol.eu

tujajepifyv.eu

xugefexojow.eu

pufepepazyd.eu

cidyrecavok.eu

disumesenyv.eu

vopibycywow.eu

fotoxysupyd.eu

noralycifok.eu

gaqehysohec.eu

mamyfycoliq.eu

jenupydaces.eu

qeburuvenij.eu

kevimudyqec.eu

rycovuvutiq.eu

lyxaxududes.eu

tulekuvigij.eu

xukyhudokex.eu

pujuduvaxim.eu

cihipifebep.eu

digowibymih.eu

vofomifyrex.eu

fodavibusim.eu

nopexifigep.eu

gatykibojig.eu

marugofazez.eu

jewidonevin.eu

qeqotogemet.eu

kemawonywig.eu

rynenogupez.eu

lyvevonifun.eu

tucyzogojat.eu

xuxukanoluf.eu

puzigagacal.eu

cilodamenub.eu

dikatahyqar.eu

vojeqamutuf.eu

fogynahidal.eu

nofucemihub.eu

gaduzehokar.eu

masijemaxud.eu

jepogejebak.eu

qetaseqyquv.eu

keretejuraw.eu

ryqyqequsud.eu

lymunyjigak.eu

tunicyqokuv.eu

xubolyjazaq.eu

puvojyqevus.eu

cicafykemaj.eu

dixesywyruc.eu

volyrukupoq.eu

fokuquwifys.eu

nojibukojoj.eu

gahocuwalyc.eu

magalukacom.eu

jefejurenyp.eu

qedefulywoh.eu

kepypirutyx.eu

ryturilidom.eu

lyrimirohyp.eu

tuwobiloloh.eu

xuqaxiraxyx.eu

pumelilebon.eu

cinyhotyqyt.eu

divufozutog.eu

vocupotusyz.eu

foxirozigon.eu

nozomotokyt.eu

galavozaxog.eu

makexotevyl.eu

jejykaxymob.eu

qeguhapyrer.eu

kefidaxupif.eu

rydopapifel.eu

lysowaxojib.eu

tupamapazer.eu

xutevexecif.eu

puryxepenek.eu

ciqukecywiv.eu

dimigesupew.eu

vonodecidid.eu

fobatesohek.eu

novewecoliv.eu

gacenysacew.eu

maxyvycebid.eu

jeluzydyqej.eu

qekikyvutic.eu

kejogydideq.eu

ryhadyvigis.eu

lygetudokej.eu

tufyquvaxic.eu

xudunudeveq.eu

pupucuvymup.eu

citizufurah.eu

dirojubusux.eu

vowagufifam.eu

foqesibojup.eu

nomytifazah.eu

ganuqibevux.eu

mavinifenam.eu

jecocinywut.eu

qexoligupag.eu

kezajonifuz.eu

rylefogohan.eu

lykysonalut.eu

tujurogacag.eu

xugiqonenuz.eu

pufobogyqan.eu

cidacomutur.eu

diselahidaf.eu

vopejamogul.eu

fotyfahokab.eu

norupamaxur.eu

gaqirahebof.eu

mamomamymyl.eu

jenabejurov.eu

qebexequsyw.eu

kevylejigod.eu

rycuheqojyk.eu

lyxufejazov.eu

tulipeqevyw.eu

xukorejymod.eu

pujamyqywyk.eu

cihevykupoc.eu

digyxywifyq.eu

vofukykojos.eu

fodihywalyj.eu

nopodykecoc.eu

gatopuwenyq.eu

marawukyqos.eu

jewemurutyj.eu

qeqyvulidox.eu

kemuxurohym.eu

rynikulokop.eu

lyvoguraxeh.eu

tucadilebix.eu

xuxetiryqem.eu

puzewilurip.eu

cilynitiseg.eu

dikuvizigiz.eu

vojizitoken.eu

fogokozazit.eu

nofagoteveg.eu

gadedozymiz.eu

masytoturen.eu

jepuqoxupit.eu

qetunopifef.eu

kericoxojil.eu

ryqozapaleb.eu

lymajaxecir.eu

tunegapenef.eu

xubysaxywil.eu

puvutaputeb.eu

ciciqacidir.eu

dixonesohed.eu

volocecaluk.eu

fokalesaxav.eu

nojejecebuw.eu

gahyfesyqad.eu

magusecutuk.eu

jefiredisav.eu

qedoqyvoguq.eu

kepabydokas.eu

rytecyvaxuj.eu

lyrelydevac.eu

tuwyjyvymuq.eu

xuqufyduras.eu

pumipuvupuj.eu

cinorufifac.eu

divamubojum.eu

vocebufazap.eu

foxyxubecuh.eu

nozulufynax.eu

galuhubywum.eu

makififupap.eu

jejopiniduh.eu

qegarigohox.eu

kefeminalyn.eu

rydyvigecot.eu

lysuxinebyg.eu

tupikogyqoz.eu

xutohonutyn.eu

purodogidot.eu

ciqapomogyg.eu

dimewohokol.eu

vonymomaxyb.eu

fobuvohevor.eu

novixamymyf.eu

gacokahurol.eu

maxagamisyb.eu

jeledajifor.eu

qeketaqojyf.eu

kejywajazok.eu

ryhuneqevyv.eu

lygivejynow.eu

tufozequwyd.eu

xudakejupok.eu

pupegeqifev.eu

citydekohiw.eu

dirutewaled.eu

vowuqykecij.eu

foqinywenec.eu

nomocykyqiq.eu

ganazywutes.eu

mavejykidij.eu

jecygyrogec.eu

qexusulakiq.eu

kezituraxep.eu

ryloqulebih.eu

lykonurymex.eu

tujaculurim.eu

xugelurisep.eu

pufyjulogih.eu

cidufitojex.eu

disisizazim.eu

voporitevet.eu

fotaqizymig.eu

norebituwez.eu

gaqecizupun.eu

mamylotifat.eu

jenujoxojug.eu

qebifopalaz.eu

kevopoxecun.eu

rycaropynar.eu

lyxemoxyquf.eu

tulyboputal.eu

xukuxaxidub.eu

pujulapohar.eu

cihihacakuf.eu

digofasexal.eu

vofapacebuv.eu

foderasyqaw.eu

nopymecurud.eu

gatuvesisak.eu

marixecoguv.eu

jewokedokaw.eu

qeqohevazud.eu

kemadedevak.eu

rynepevymuc.eu

lyvywyduroq.eu

tucumyvipys.eu

xuxivydifoj.eu

puzoxyvojyc.eu

cilakyfaloq.eu

dikegybecys.eu

vojedufynoj.eu

fogytubuwyx.eu

nofuwufutom.eu

gadinubidyp.eu

masovufohoh.eu

jepazunalyx.eu

qetekugexom.eu

keryginebyp.eu

ryqudigyqog.eu

lymutinutyz.eu

tuniqigison.eu

xuboninogyt.eu

puvacigakog.eu

cicezomaxyz.eu

dixyjohevon.eu

volugomymet.eu

fokisohurif.eu

nojotomipel.eu

gahoqohofib.eu

maganomojer.eu

jefecajazif.eu

qedylaqecel.eu

kepujajynib.eu

rytifaquwer.eu

lyrosajupid.eu

tuwaraqidek.eu

xuqeqejohiv.eu

pumebeqalew.eu

cinycekecid.eu

divulewybek.eu

vocijekyqiv.eu

foxofewuteq.eu

nozapekidis.eu

galerywogej.eu

makymykakic.eu

jejubyrexeq.eu

qeguxylevus.eu

kefilyrymaj.eu

rydohyluruc.eu

lysafurisam.eu

tupepulofup.eu

xutyrurojah.eu

purumulazux.eu

ciqivutevam.eu

dimoxuzynup.eu

vonokutuwah.eu

fobahizipux.eu

noveditifan.eu

gacypizohut.eu

maxuwitalag.eu

jelimixecuz.eu

qekovipynan.eu

kejaxoxuqut.eu

ryhekoputag.eu

lygegoxidul.eu

tufydopogab.eu

xudutoxakur.eu

pupiwopexof.eu

citonocebyl.eu

diravasymob.eu

vowezacuryr.eu

foqykasisof.eu

nomugacogyk.eu

ganudasajov.eu

mavitacazyw.eu

jecoqedevod.eu

qexanevymyk.eu

kezeceduwov.eu

rylyzevipyw.eu

lykujedofod.eu

tujigevojyj.eu

xugosedaloc.eu

pufotyvecyq.eu

cidaqyfynos.eu

disenybuqyj.eu

vopycyfutoc.eu

fotulybidyq.eu

norijyfohop.eu

gaqofubakeh.eu

mamasufexix.eu

jenerunybem.eu

qebequgyqip.eu

kevybunureh.eu

rycucugisix.eu

lyxilunogem.eu

tulojigakit.eu

xukafinezeg.eu

pujepigeviz.eu

cihyrimymen.eu

digumihurit.eu

vofubimipeg.eu

fodixohofiz.eu

nopolomojen.eu

gatahohalir.eu

marefomecef.eu

jewypojynil.eu

qequroquweb.eu

kemimojitir.eu

rynovaqidef.eu

lyvoxajohul.eu

tucakaqalav.eu

xuxehajexuw.eu

puzydaqybad.eu

cilupakuquk.eu

dikiwewutav.eu

vojomekisuw.eu

fogavewogad.eu

nofexekakuk.eu

gadekewexac.eu

masygekevuq.eu

jepuderymas.eu

qetityluruj.eu

kerowyripac.eu

ryqanylofuq.eu

lymevyrajas.eu

tunyzylazuj.eu

xubukyrecax.eu

puvugulynum.eu

cicidutuwap.eu

dixotuzipuh.eu

volaqutodox.eu

fokenuzohym.eu

nojycutalop.eu

gahuzuzecyg.eu

magijityboz.eu

jefogixuqyn.eu

qedosiputot.eu

kepatixidyg.eu

ryteqipogoz.eu

lyrynixakyn.eu

tuwucopexot.eu

xuqiloxyvyf.eu

pumojopymol.eu

cinafocuryb.eu

divesosisor.eu

vocerocofyf.eu

foxyqosajol.eu

nozubacezyb.eu

galicasevor.eu

makolacynyd.eu

jejajaduwok.eu

qegefavipev.eu

kefypadofiw.eu

rydurevohed.eu

lysumedalik.eu

tupibevecev.eu

xutoxedyniq.eu

puralevuqes.eu

ciqehefitij.eu

dimyfebidec.eu

vonupyfogiq.eu

fobirybakes.eu

novomyfexij.eu

gacovybybec.eu

maxaxyfumim.eu

jelekynurep.eu

qekyhugisih.eu

kejudunogex.eu

ryhipugajim.eu

lygowunezep.eu

tufamugevih.eu

xudevunymex.eu

pupexuguwun.eu

citykimipat.eu

dirugihofug.eu

vowidimajaz.eu

foqotihalun.eu

nomawimecat.eu

ganenihynug.eu

mavyvomuqal.eu

jecuzojitub.eu

qexukoqodar.eu

kezigojohuf.eu

rylodoqakal.eu

lykatojexub.eu

tujeqoqybar.eu

xugynajuquf.eu

pufucaqurak.eu

cidizakisuv.eu

disojawogaw.eu

vopogakakud.eu

fotasawezak.eu

noretekyvuv.eu

gaqyqewymow.eu

mamunekuryd.eu

jeniceripoj.eu

qebolelofyc.eu

kevajerajoq.eu

rycefelelys.eu

lyxesyrecoj.eu

tulyrylynyc.eu

xukuqyruwoq.eu

pujibylityp.eu

cihocytodoh.eu

digalyzohyx.eu

vofejutalom.eu

fodyfuzexyp.eu

nopuputyboh.eu

gaturuzuqyx.eu

marimutitom.eu

jewobuxisyt.eu

qeqaxupogog.eu

kemelixakyz.eu

rynyhipexon.eu

lyvufixyvet.eu

tucipipumig.eu

xuxorixurez.eu

puzomipipin.eu

cilavocofer.eu

dikexosajif.eu

vojykocezel.eu

foguhosecib.eu

nofidocyner.eu

gadoposuwif.eu

masawocipel.eu

jepemadodiv.eu

qetevavahew.eu

keryxadalid.eu

ryqukavecek.eu

lymigadybiv.eu

tunodavuqew.eu

xubateditid.eu

puvewevodek.eu

cicynefogic.eu

dixuvebakeq.eu

voluzefexus.eu

fokikebyvaj.eu

nojogefumuc.eu

gahadyburaq.eu

magetyfisus.eu

jefyqynofaj.eu

qedunygajux.eu

kepicynezam.eu

rytozygyvup.eu

lyrojunynah.eu

tuwaguguwux.eu

xuqesunipam.eu

pumytugofup.eu

cinuqumahag.eu

divinuheluz.eu

vococumecan.eu

foxalihynut.eu

nozejimuqag.eu

galefihituz.eu

makysimodan.eu

jejurijogut.eu

qegiqiqakof.eu

kefobojexyl.eu

rydacoqybob.eu

lyselojumyr.eu

tupyjoqirof.eu

xutufojisyl.eu

purupoqogob.eu

ciqirokajyr.eu

dimomawezod.eu

vonabakyvyk.eu

fobexawumov.eu

novylakuwyw.eu

gacuhawipod.eu

maxifakofyk.eu

jeloperajov.eu

qekorelelyq.eu

kejamerecos.eu

ryhevelynyj.eu

lygyxeruqoc.eu

tufukelityq.eu

xudiherodos.eu

pupodylahej.eu

citapytakic.eu

direwyzexem.eu

vowemytybip.eu

foqyvyzuqeh.eu

nomuxytirix.eu

ganikuzosem.eu

mavogutogip.eu

jecaduxakeh.eu

qexetupezix.eu

kezywuxyven.eu

rylunupumit.eu

lykuvuxureg.eu

tujizipipiz.eu

xugokixofen.eu

pufagipajit.eu

cidediceleg.eu

disytisycil.eu

vopuqicyneb.eu

fotinosuwir.eu

norococitef.eu

gaqozosodul.eu

mamajocahab.eu

jenegodelur.eu

qebysovexaf.eu

kevutodybuk.eu

ryciqavuqav.eu

lyxonadituw.eu

tulacavosad.eu

xukeladoguk.eu

pujejavakav.eu

cihyfafexuw.eu

digusebyvad.eu

vofirefumuj.eu

fodoqebirac.eu

nopabefipuq.eu

gatecebofas.eu

marylefajuj.eu

jewujenezac.eu

qequfygycuq.eu

kemipynunap.eu

rynoryguwuh.eu

lyvamynipox.eu

tucebygodym.eu

xuxyxynahop.eu

puzulugelyh.eu

cilihumecox.eu

dikofuhybym.eu

vojopumuqot.eu

fogaruhityg.eu

nofemumodoz.eu

gadyvuhagyn.eu

masuximakot.eu

jepikijexyg.eu

qetohiqyvoz.eu

keradijumyn.eu

ryqepiqiror.eu

lymewijosyf.eu

tunymoqofol.eu

xubuvojajyb.eu

puvixoqezor.eu

cicokokyvyf.eu

dixagowunol.eu

voledokuwev.eu

fokytowipiw.eu

nojuwakofed.eu

gahunawahik.eu

magivakelev.eu

jefozaryciw.eu

qedakalyned.eu

kepegaruqik.eu

rytydelitec.eu

lyruterodiq.eu

tuwiqelages.eu

xuqonerekij.eu

pumocelexec.eu

cinazetybiq.eu

divejezumes.eu

vocygytirij.eu

foxusyzosex.eu

nozitytogim.eu

galoqyzajep.eu

makanytezih.eu

jejecyxyvex.eu

qegelupumum.eu

kefyjuxiwap.eu

rydufupipug.eu

lysisuxofaz.eu

tuporupajun.eu

xutaquxelat.eu

purebupycug.eu

ciqycicunaz.eu

dimulisuqun.eu

vonujicitat.eu

fobifisoduf.eu

novopicahal.eu

gacarisekub.eu

maxemocexar.eu

jelybodybuf.eu

qekuxovuqal.eu

kejilodirub.eu

ryhohovosar.eu

lygofodagud.eu

tufapovakak.eu

xuderadezuv.eu

pupymavyvow.eu

cituvafumyd.eu

dirixabirok.eu

vowokafopyv.eu

foqahabofoq.eu

nomedefajys.eu

ganepebeloj.eu

mavywefycyc.eu

jecumenunoq.eu

qexiveguwys.eu

kezoxenitoj.eu

rylakegodyc.eu

lykegynahom.eu

tujydygelyp.eu

xugutynyxoh.eu

pufuwygybyx.eu

cidinymuqom.eu

disovyhityp.eu

vopazumosoh.eu

fotekuhagyx.eu

norygumekon.eu

gaquduhexet.eu

mamitumyvig.eu

jenoqujumez.eu

qebonuqirin.eu

kevacijopet.eu

ryceziqofig.eu

lyxyjijajel.eu

tulugiqezib.eu

xukisijycer.eu

pujotiqunif.eu

cihaqokiwel.eu

digenowipib.eu

vofecokoder.eu

fodylowahif.eu

nopujokelek.eu

gatifowyciv.eu

marosokubew.eu

jewararuqid.eu

qeqeqalitek.eu

kemybarodiv.eu

rynucalagew.eu

lyvularekud.eu

tucijalexaj.eu

xuxoferyvuc.eu

puzapelumaq.eu

cileretirus.eu

dikymezosaj.eu

vojubetafuc.eu

fogixezajaq.eu

nofoletezup.eu

gadohyzyvah.eu

masafytunux.eu

jepepyxiwam.eu

qetyrypopup.eu

kerumyxofah.eu

ryqivypahux.eu

lymoxuxelam.eu

tunakupycut.eu

xubehuxunag.eu

puvedupuquz.eu

cicypucitan.eu

dixuwusodut.eu

volimucagog.eu

fokovisekyz.eu

nojaxicyxon.eu

gahekisybyr.eu

magygicumof.eu

jefudidiryl.eu

qedutivosob.eu

kepiwodagyr.eu

rytonovejof.eu

lyravodezyl.eu

tuwezovyvov.eu

xuqykodumyw.eu

pumugoviwod.eu

cinidofopyk.eu

divotabofov.eu

vocoqafajyw.eu

foxanabelod.eu

nozecafycyk.eu

galyzabunoc.eu

makujafiqyq.eu

jejigenitos.eu

qegosegodej.eu

kefatenahic.eu

rydeqegekeq.eu

lysenenyxis.eu

tupycegubej.eu

xutulenuqix.eu

purijygirem.eu

ciqofymosip.eu

dimasyhageh.eu

vonerymekix.eu

fobyqyhezem.eu

novubymyvip.eu

gacucuhumeg.eu

maxilumiriz.eu

jelojujopen.eu

qekafuqafit.eu

kejepujajeg.eu

ryhyruqeliz.eu

lygumujycen.eu

tufibiqunit.eu

xudoxijiwef.eu

pupoliqotul.eu

citahikodab.eu

direfiwahur.eu

vowypikelaf.eu

foqurowyxul.eu

nomimokubab.eu

ganovowuqur.eu

mavaxokitad.eu

jecekorosuk.eu

qexeholagav.eu

kezydorekuw.eu

rylupalyxad.eu

lykiwaryvuk.eu

tujomalumav.eu

xugavariruq.eu

pufexalopas.eu

cidykatafuj.eu

disugezejac.eu

vopudetezuq.eu

fotitezycas.eu

norowetunuj.eu

gaqaneziwoc.eu

mamevetopym.eu

jenyzexodop.eu

qebukypahyh.eu

kevigyxelox.eu

rycodypycym.eu

lyxotyxubop.eu

tulaqypiqyh.eu

xukenyxitox.eu

pujycupodyn.eu

cihuzucagot.eu

digijusekyg.eu

vofogucyxoz.eu

fodasusuvyn.eu

nopetucumot.eu

gatequsiryg.eu

marynicosol.eu

jewucidafyb.eu

qeqilivejor.eu

kemojidezyf.eu

rynafivyvol.eu

lyvesiduneb.eu

tucyroviwir.eu

xuxuqodopef.eu

puzubovafik.eu

cilicofahev.eu

dikolobeliw.eu

vojajofyced.eu

fogefobunik.eu

nofypafiqev.eu

gadurabotiw.eu

masimafoded.eu

jepobanagij.eu

qetoxagekec.eu

keralanyxiq.eu

ryqehegubes.eu

lymyfenumij.eu

tunupegirec.eu

xubirenosiq.eu

puvomegagep.eu

cicavemejih.eu

dixexehyzex.eu

volekymyvum.eu

fokyhyhumap.eu

nojudymiwuh.eu

gahipyhopax.eu

magowymafum.eu

jefamyjejat.eu

qedevuqelug.eu

kepyxujycaz.eu

rytukuqunun.eu

lyrugujiqat.eu

tuwiduqotug.eu

xuqotujodaz.eu

pumawuqahun.eu

cinenikekar.eu

divyviwyxuf.eu

vocuzikubal.eu

foxikiwiqub.eu

nozogikirar.eu

galodiwosuf.eu

makatokagal.eu

jejeqorekuv.eu

qegynolyzow.eu

kefucoruvyd.eu

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE,"	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe

Simda family
simda
simda
Simda is an infostealer written in C++.
stealer trojan simda

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
354	4188	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
3184	setup.exe
4492	setup.exe
4404	setup.exe
5104	setup.exe
2488	setup.exe
4852	setup.exe
2376	setup.exe
1860	setup.exe
3296	setup.exe
3128	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4f9d710a = "\x1fÜº[?žµÿX\x7fR^ÞÊ\aî3n\x1fÆ{\x05?“„Ý\x05‹\[email protected]†ò¡ÿ\x1a\u00adÊOeí‹•E:öÃVÊ§õÞcí…¶u¿n°d€\x0et~<_ç)ñ~w\bÌÝ¤%øWPæ\x1cV\x1e_\x14\x06$\x0e¯/œ\x7f.4Ô\x16»·\v\x063÷#ÔWÏ&ók\x16<ûv†LË\v4¤œŒ\v–\x06Çfã[¦ë\x1c“‹K—\x0eÖ\x06¯\x13¿ëÎÌ,ÆƒÇ÷óÔƒ«+¼\x06\x7fÛ\\ÿ¦T¬ÌcfžŸ«'´»,'>¬W«~vS3ÓçäÇóLL.\\sv\a'_ô$·VãÔ—£÷+\x06”\f[4ƒLL\x0e/f\x14Ël>¾Ë[O¬Ç\x7f®fþæ®[\\çCWËŸtÓ&«\x03~nž<\a,\|\x04[FF¬ì"	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-0-0x0000000000400000-0x000000000054D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\msedge.hollow.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\concrt140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dual_engine_adapter_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ca-Es-VALENCIA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onramp.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\as.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\el.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3956	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\NumberOfSubdomains = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\MuiCache	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpCleanupState = "0"	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
2488	setup.exe
2488	setup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Token: SeSecurityPrivilege	3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Token: SeSecurityPrivilege	3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Token: SeSecurityPrivilege	3952	JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
Token: 33	3184	setup.exe
Token: SeIncBasePriorityPrivilege	3184	setup.exe
Token: SeDebugPrivilege	3444	wwahost.exe
Token: SeDebugPrivilege	3444	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3444	wwahost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3184	3716	MicrosoftEdge_X64_132.0.2957.140.exe	97
PID 3716 wrote to memory of 3184	3716	MicrosoftEdge_X64_132.0.2957.140.exe	97
PID 3184 wrote to memory of 4492	3184	setup.exe	98
PID 3184 wrote to memory of 4492	3184	setup.exe	98
PID 3184 wrote to memory of 4404	3184	setup.exe	99
PID 3184 wrote to memory of 4404	3184	setup.exe	99
PID 4404 wrote to memory of 5104	4404	setup.exe	100
PID 4404 wrote to memory of 5104	4404	setup.exe	100
PID 3184 wrote to memory of 2488	3184	setup.exe	101
PID 3184 wrote to memory of 2488	3184	setup.exe	101
PID 3184 wrote to memory of 4852	3184	setup.exe	102
PID 3184 wrote to memory of 4852	3184	setup.exe	102
PID 2488 wrote to memory of 2376	2488	setup.exe	103
PID 2488 wrote to memory of 2376	2488	setup.exe	103
PID 3184 wrote to memory of 1860	3184	setup.exe	104
PID 3184 wrote to memory of 1860	3184	setup.exe	104
PID 4852 wrote to memory of 3296	4852	setup.exe	105
PID 4852 wrote to memory of 3296	4852	setup.exe	105
PID 1860 wrote to memory of 3128	1860	setup.exe	106
PID 1860 wrote to memory of 3128	1860	setup.exe	106

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e983e7b9e6d848397029c2b2d73b7fcc.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkNBMUIyNjQtOEQzNS00NEE4LTk1MkYtMTlGMDJDNzBDOUJCfSIgdXNlcmlkPSJ7M0E5QzVCRUItRjg1MC00Q0Y4LTkzMzktQUMwOTA1QTdBQzUyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Qjg5ODVCMkUtNUE4Mi00MUUwLUFGNUItMUJDRjYyOTQ2QkI5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjkxNDE5MTE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3956

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3184
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ddb6a818,0x7ff6ddb6a824,0x7ff6ddb6a830
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ddb6a818,0x7ff6ddb6a824,0x7ff6ddb6a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6eb1ba818,0x7ff6eb1ba824,0x7ff6eb1ba830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6eb1ba818,0x7ff6eb1ba824,0x7ff6eb1ba830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6eb1ba818,0x7ff6eb1ba824,0x7ff6eb1ba830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:4744

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:3928

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F894C887-2956-4469-9BB9-5B78EA625A4F}\EDGEMITMP_74DB6.tmp\setup.exe

Filesize
6.6MB

MD5
b4c8ad75087b8634d4f04dc6f92da9aa

SHA1
7efaa2472521c79d58c4ef18a258cc573704fb5d

SHA256
522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

SHA512
5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.7MB

MD5
3646786aea064c0845f5bb1b8e976985

SHA1
a31ba2d2192898d4c0a01511395bdf87b0e53873

SHA256
a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

SHA512
145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

Download Submit
C:\Program Files\msedge_installer.log

Filesize
70KB

MD5
2ec84276fe5e08eefa22162fa7e0f79e

SHA1
41a287c7e75d24a057475dad76acc5ad075457b7

SHA256
8580c5f6c575bf44f1e1ed3b14a69e0776c7ad8bc412a05b4d59fd80020b708b

SHA512
810fe457f7b5110f640cc1e5f3d1efd3ffbbe7947c32965eb16450a6da0be48302b4d16fc18454b0e5abb83bf1a2d5c30295a425becc900773191081930e3a56

Download Submit
C:\Program Files\msedge_installer.log

Filesize
96KB

MD5
050a88ce9f3798e4dc00a9e13d836df2

SHA1
a24bfec953dbadf2efbc53a83b3229c0f7b0b4a3

SHA256
eb0b1be373a50207b619910b3b3d4fc6686a7347812524ee0e59e87e2b34a424

SHA512
87341c1d2b9ab5d72397d5c3211484a6355b387dd8ddbc1f554e7ecbcec3a47fe113076ffe0affdd920e3948e69c11e2c7023108aae446e289711c6e242914cf

Download Submit
C:\Program Files\msedge_installer.log

Filesize
97KB

MD5
16608754cd3f42033aaa50bf37202da8

SHA1
f169c55d8e4b9a62c18f72ba0034bba7e0bf63d7

SHA256
b9592529aca36835764cfa73aca71f1bb92b040509fd577176aaa9742d1ce769

SHA512
c2d38f6828845ccd8bc5ce59d7a8f361dc40490292d8b2e6570d90c6a2551ed764acf4f63505f0428512a2f88cd9e1525d2d12fe9184d352d75c3e2e91d8eead

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
bd3e30b0bfdfa644b63ffa4a50cf4e14

SHA1
7d991cf9bbb6ef4c164244ba94439843c6cf5d7b

SHA256
fc4f93f4338cca10dc3bda2e75b6fa45f7443d0e32754f776bc79c3a332ea3e2

SHA512
d400ea26645c4fa4cc2e1f4ea892f83db912f0040a95c1d88a54ffcf85313a27552d9df99a346183687537aeea220fb241d92b33b3d081cabdd927d5de40a9b6

Download Submit
memory/3928-256-0x000001DE67340000-0x000001DE67589000-memory.dmp

Filesize
2.3MB

Download
memory/3928-255-0x000001DE4BF90000-0x000001DE4BF98000-memory.dmp

Filesize
32KB

Download
memory/3928-254-0x000001DE4BF60000-0x000001DE4BF6A000-memory.dmp

Filesize
40KB

Download
memory/3928-253-0x000001DE4BAB0000-0x000001DE4BABE000-memory.dmp

Filesize
56KB

Download
memory/3952-89-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-82-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-65-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-74-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-113-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-112-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-111-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-110-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-109-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-108-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-107-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-105-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-104-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-103-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-102-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-101-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-100-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-99-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-98-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-97-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-96-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-95-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-87-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-94-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-92-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-91-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-90-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-10-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-88-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-86-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-85-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-84-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-83-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-8-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-81-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-79-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-78-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-77-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-75-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-73-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-72-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-71-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-70-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-69-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-68-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-67-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-66-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-64-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-63-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-62-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-106-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-61-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-93-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-60-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-59-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-6-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-5-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/3952-4-0x0000000002340000-0x00000000023F2000-memory.dmp

Filesize
712KB

Download
memory/3952-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-1-0x0000000000690000-0x00000000006D7000-memory.dmp

Filesize
284KB

Download
memory/3952-0-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/3952-80-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-58-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-76-0x00000000028E0000-0x0000000002998000-memory.dmp

Filesize
736KB

Download
memory/3952-126-0x0000000000690000-0x00000000006D7000-memory.dmp

Filesize
284KB

Download
memory/3952-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download