cycbot | 2e5c48c3baebf8a7b343cf325948f7d5180d265e311c6ba9e381d3e879cd0876

Analysis

max time kernel
53s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
Size

276KB
MD5

8b8e02c5f114d969b2e1d0a51adc1e99
SHA1

072cb2f9ba87c7be54ecf9acc5092db930e6ff5a
SHA256

2e5c48c3baebf8a7b343cf325948f7d5180d265e311c6ba9e381d3e879cd0876
SHA512

2278ad84875a8431d0af3af49200ffee5e74215c3fd353c3ac8e1d0c093cf79bbf075f48039c7252dbdbacb58ff0885bc7ec1fef06ff9d2e6499fe90a4ed4f20
SSDEEP

6144:pQpNUHWT2fVdpLs5Tglk0fRSeJQHWCHYgOxk2iNlf/GcqRoEpzTe:pQpNJTiDpLI0lHZSeJQf+k/NlnuzT

Score

10^/10

cycbot pony backdoor credential_access defense_evasion discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/1732-3-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral2/memory/1732-5-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3488-17-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/1732-18-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/3852-80-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/1732-94-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 1 IoCs

pid	Process
4060	E8E9.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CC2.exe = "C:\\Program Files (x86)\\LP\\1DDE\\CC2.exe"	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1732-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1732-3-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/1732-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3488-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1732-18-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3852-80-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1732-94-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\1DDE\CC2.exe	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
File created	C:\Program Files (x86)\LP\1DDE\CC2.exe	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
File opened for modification	C:\Program Files (x86)\LP\1DDE\E8E9.tmp	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E8E9.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4196	msiexec.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	3208	explorer.exe
Token: SeCreatePagefilePrivilege	3208	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	1472	explorer.exe
Token: SeCreatePagefilePrivilege	1472	explorer.exe
Token: SeShutdownPrivilege	2612	explorer.exe
Token: SeCreatePagefilePrivilege	2612	explorer.exe
Token: SeShutdownPrivilege	2612	explorer.exe
Token: SeCreatePagefilePrivilege	2612	explorer.exe
Token: SeShutdownPrivilege	2612	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
1472	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe
4956	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4768	StartMenuExperienceHost.exe
2144	StartMenuExperienceHost.exe
4144	StartMenuExperienceHost.exe
4856	SearchApp.exe
5036	StartMenuExperienceHost.exe
3720	SearchApp.exe
4324	StartMenuExperienceHost.exe
3024	StartMenuExperienceHost.exe
2824	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3488	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	96
PID 1732 wrote to memory of 3488	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	96
PID 1732 wrote to memory of 3488	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	96
PID 1732 wrote to memory of 3852	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	101
PID 1732 wrote to memory of 3852	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	101
PID 1732 wrote to memory of 3852	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	101
PID 1732 wrote to memory of 4060	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	104
PID 1732 wrote to memory of 4060	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	104
PID 1732 wrote to memory of 4060	1732	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe	104

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe startC:\Users\Admin\AppData\Roaming\E1458\7B11D.exe%C:\Users\Admin\AppData\Roaming\E1458
  2⤵
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b8e02c5f114d969b2e1d0a51adc1e99.exe startC:\Program Files (x86)\58C29\lvvm.exe%C:\Program Files (x86)\58C29
  2⤵
  PID:3852
- C:\Program Files (x86)\LP\1DDE\E8E9.tmp
  "C:\Program Files (x86)\LP\1DDE\E8E9.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\LP\1DDE\CC2.exe
1⤵
PID:4660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\1DDE\E8E9.tmp

Filesize
96KB

MD5
a5a8de31397ec7ea7d73fe0d7eaf4b74

SHA1
a75318e3568426a430575ae180319aa7af1e59bf

SHA256
9dff1eba4eaa64d0830fc56aee29ac7ea940c640845344e579699029cdd9089c

SHA512
a57b65a63b00c88452d7457a8b90104d8c5f6bca7d054cb6347e0ee10ac1e3fec3488b7bdf372ae45cc2fd153468590589d64c8d1f4fe2d689fe02a26a5e1138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
c2c4e29c12b8e8a12e95957ce3dbd5d0

SHA1
d24e2cad83d65b4e8e946a406a5404952862580a

SHA256
54035918f1376378870ca62f8c7676e00938d0558d3362371feb0be6be9c1782

SHA512
de41a0e2751892dbb91ae925f768161de62c7b909e0207018d63cf3e4108aa09dfc6a3821401e85ba31c8c06b205abfc1f34d59dcbf57eeb9f3296382d8fa6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
c677a7d84b60e13de2e9a2d5071026c7

SHA1
6768d86d5e3231119136278a9c372356780bd673

SHA256
6eedcc5193182f7f65d689b9901e726a098656e253b21cc46c54a9ab344e5a67

SHA512
1483fe3a0b9c4df143129256a924b825c0e391b2d6ea10553f049f5d2ec696890da8c02ade9c2e5dc6a77b4dd3e00336d62725743d5e162e64e919d9c465c252

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
4e5171b7d6de20debd2a6bbe01cdcfc0

SHA1
e3513183315cb113fb1daaaee12883554436bc6b

SHA256
3e77a249bcb8136e2f4ad9cfdbf2ca57ab4f7b742f417fc03f1143e9ae261bcc

SHA512
8d58539adcb6a786f4b37bb8dbed726e731536adc370086817374fab7840ab2a30e77e40987224679ee9d21605154c6fd62d413ac634651cf4225d11d72e5284

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133877421617127881.txt

Filesize
86KB

MD5
dbb05f808b483453a6205922ddf81804

SHA1
72bc1fc67cf4574ea96585848d67ad8be6931d10

SHA256
bfe2543bfc6d5ecff340c548effa9e85c72fe63fd06bf63ce43be69bb053caff

SHA512
c2122640c201c86b4830117083d28c710838eac98b08b91619ee9cb37ae413cfb42a2f73f071839d4352ac459243b9507e2c481d746b1196034b6cad5ad3ab07

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VQX1G21I\microsoft.windows[1].xml

Filesize
97B

MD5
30f2c9ec9fde35e07c5e294cb7cacdc6

SHA1
369534f00cf17850dd8c1526ed7dd1996d880943

SHA256
ac0a9e3dcaf872fec32415fe0e2e821a5a75f18fd940ed3777c02ac9032c2b46

SHA512
34a1b7612bee443570361cb8f6c3eed38f7a2c34a9dd791edb8ec28c3693d854a1615b9e9ad1e8ed7136832fa510ea246545aec10dc51ece21b4bec317289664

Download Submit
C:\Users\Admin\AppData\Roaming\E1458\8C29.145

Filesize
1KB

MD5
eea102493393a237c42f69d1e718ad14

SHA1
ff085b9a4361cc87f4f28829c00695b98f85ce7d

SHA256
202881731662223e425fc0e99526790497e7986cf580939ce0153fa141885691

SHA512
e78608acc136d1064242a60c4c8f9c9b97bbbb0600bd95a70e9df1ca14b1f5fac87d02dd6e3762ee0ae091bb349ba9b34c73305828a733c0725ff06676fcd29d

Download Submit
C:\Users\Admin\AppData\Roaming\E1458\8C29.145

Filesize
600B

MD5
04e28dd188203616e8ae0a504d798b7d

SHA1
04c6b9631dbe6de745ac853382a797316ac639fd

SHA256
6d3d461d68ca3970fddb762fd4146ab9b52a51921d5168084c8a3cc34793e51e

SHA512
07a6ada67d3477509879a4720229ac2cd1095654d7c8524924661366446c035a8dd0fd3c68d089efecf1a007df262978acdc57b89d7433ff192a9f2ab02b9769

Download Submit
C:\Users\Admin\AppData\Roaming\E1458\8C29.145

Filesize
1KB

MD5
1ab744e0c9b6085f5f50aa6cb16f78e2

SHA1
e1ccdb963feccf7f273ff9aee58d60dd649fadcc

SHA256
eefe171f9f6f108de12128767915e54cb686b19649b036e7846a3d5a25ad9006

SHA512
40ba5e6e095893466d11dac37ab647de91e7480caceb761928898f0782b1b7f62cbbf2686040783ff588a6ce2a61a6881e27e4706f851d45270a1cf6eba262d2

Download Submit
memory/700-1091-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/812-651-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1732-94-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-3-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1732-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-18-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1932-1116-0x000002C930720000-0x000002C930740000-memory.dmp

Filesize
128KB

Download
memory/1932-1093-0x000002C92F1F0000-0x000002C92F2F0000-memory.dmp

Filesize
1024KB

Download
memory/1932-1094-0x000002C92F1F0000-0x000002C92F2F0000-memory.dmp

Filesize
1024KB

Download
memory/1932-1103-0x000002C930320000-0x000002C930340000-memory.dmp

Filesize
128KB

Download
memory/1932-1098-0x000002C930360000-0x000002C930380000-memory.dmp

Filesize
128KB

Download
memory/1948-652-0x000002C862720000-0x000002C862820000-memory.dmp

Filesize
1024KB

Download
memory/1948-653-0x000002C862720000-0x000002C862820000-memory.dmp

Filesize
1024KB

Download
memory/1948-667-0x000002C863830000-0x000002C863850000-memory.dmp

Filesize
128KB

Download
memory/1948-680-0x000002C863C40000-0x000002C863C60000-memory.dmp

Filesize
128KB

Download
memory/1948-657-0x000002C863870000-0x000002C863890000-memory.dmp

Filesize
128KB

Download
memory/1948-654-0x000002C862720000-0x000002C862820000-memory.dmp

Filesize
1024KB

Download
memory/2352-956-0x000001E478A20000-0x000001E478A40000-memory.dmp

Filesize
128KB

Download
memory/2352-951-0x000001E477900000-0x000001E477A00000-memory.dmp

Filesize
1024KB

Download
memory/2352-980-0x000001E478DF0000-0x000001E478E10000-memory.dmp

Filesize
128KB

Download
memory/2352-966-0x000001E4787E0000-0x000001E478800000-memory.dmp

Filesize
128KB

Download
memory/2612-189-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2672-950-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/2824-508-0x00000208CFB00000-0x00000208CFC00000-memory.dmp

Filesize
1024KB

Download
memory/2824-539-0x00000208D0FB0000-0x00000208D0FD0000-memory.dmp

Filesize
128KB

Download
memory/2824-530-0x00000208D0BA0000-0x00000208D0BC0000-memory.dmp

Filesize
128KB

Download
memory/2824-513-0x00000208D0BE0000-0x00000208D0C00000-memory.dmp

Filesize
128KB

Download
memory/2824-509-0x00000208CFB00000-0x00000208CFC00000-memory.dmp

Filesize
1024KB

Download
memory/3488-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3488-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3720-361-0x000001F5BE260000-0x000001F5BE280000-memory.dmp

Filesize
128KB

Download
memory/3720-380-0x000001F5BE620000-0x000001F5BE640000-memory.dmp

Filesize
128KB

Download
memory/3720-369-0x000001F5BE220000-0x000001F5BE240000-memory.dmp

Filesize
128KB

Download
memory/3720-357-0x000001F5BD100000-0x000001F5BD200000-memory.dmp

Filesize
1024KB

Download
memory/3720-358-0x000001F5BD100000-0x000001F5BD200000-memory.dmp

Filesize
1024KB

Download
memory/3764-506-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/3852-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4060-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4200-1239-0x00000291A3100000-0x00000291A3200000-memory.dmp

Filesize
1024KB

Download
memory/4200-1244-0x00000291A4240000-0x00000291A4260000-memory.dmp

Filesize
128KB

Download
memory/4200-1241-0x00000291A3100000-0x00000291A3200000-memory.dmp

Filesize
1024KB

Download
memory/4856-190-0x0000026252E40000-0x0000026252F40000-memory.dmp

Filesize
1024KB

Download
memory/4856-216-0x0000026254240000-0x0000026254260000-memory.dmp

Filesize
128KB

Download
memory/4856-191-0x0000026252E40000-0x0000026252F40000-memory.dmp

Filesize
1024KB

Download
memory/4856-195-0x0000026253E70000-0x0000026253E90000-memory.dmp

Filesize
128KB

Download
memory/4856-204-0x0000026253E30000-0x0000026253E50000-memory.dmp

Filesize
128KB

Download
memory/4956-354-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/5520-1237-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5676-797-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/6116-814-0x0000025305690000-0x00000253056B0000-memory.dmp

Filesize
128KB

Download
memory/6116-827-0x0000025305CA0000-0x0000025305CC0000-memory.dmp

Filesize
128KB

Download
memory/6116-799-0x0000025304900000-0x0000025304A00000-memory.dmp

Filesize
1024KB

Download
memory/6116-800-0x0000025304900000-0x0000025304A00000-memory.dmp

Filesize
1024KB

Download
memory/6116-805-0x00000253056D0000-0x00000253056F0000-memory.dmp

Filesize
128KB

Download