pony | 79c52865086ccba7f563ded0055cf0e5d025a066b3cdbf015e670d5ef4315ad6

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
Size

278KB
MD5

da5e63e1b126dfd4990b891845a18ea7
SHA1

54aac9466b1db1089cdaa16750f667faf8973de0
SHA256

79c52865086ccba7f563ded0055cf0e5d025a066b3cdbf015e670d5ef4315ad6
SHA512

986ef221484285da52a4e3e63fafa6b42f3ab9b96649b726fac8a0a4df10f70c2a22171bf683b90658a72cff92170be7c0f3d1b940bf305a9ca785857972c381
SSDEEP

6144:MCvJSq7COG+85s5CbLWTrRInjbtMB/TsQOtyA5ytDSXh24p0:fvsq7C5p5sW6hIjbAXJAcRKhD

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
4520	E2AF.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3492-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1036-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1036-9-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1036-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3492-16-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/3492-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3900-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3492-77-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3492-160-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3492-1051-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\E67.exe = "C:\\Program Files (x86)\\LP\\4897\\E67.exe"	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\4897\E67.exe	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\4897\E2AF.tmp	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\4897\E67.exe	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E2AF.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fac000000000000002000000e80709004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002200000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000cfa3f0f74704db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002300000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000066f5c0f74704db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{FD87E72A-D522-40AA-9B69-C4AA721CD09A}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1160	msiexec.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	3908	explorer.exe
Token: SeCreatePagefilePrivilege	3908	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	4672	explorer.exe
Token: SeCreatePagefilePrivilege	4672	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe
Token: SeCreatePagefilePrivilege	2356	explorer.exe
Token: SeShutdownPrivilege	2356	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
3908	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
4672	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3292	StartMenuExperienceHost.exe
4180	StartMenuExperienceHost.exe
3456	StartMenuExperienceHost.exe
744	SearchApp.exe
2456	StartMenuExperienceHost.exe
3856	SearchApp.exe
1932	StartMenuExperienceHost.exe
5112	SearchApp.exe
2864	StartMenuExperienceHost.exe
4580	SearchApp.exe
4316	StartMenuExperienceHost.exe
4672	SearchApp.exe
1404	StartMenuExperienceHost.exe
3760	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1036	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	89
PID 3492 wrote to memory of 1036	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	89
PID 3492 wrote to memory of 1036	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	89
PID 3492 wrote to memory of 3900	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	97
PID 3492 wrote to memory of 3900	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	97
PID 3492 wrote to memory of 3900	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	97
PID 3492 wrote to memory of 4520	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	99
PID 3492 wrote to memory of 4520	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	99
PID 3492 wrote to memory of 4520	3492	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe	99

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3492
- C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\7A50A\3D648.exe%C:\Users\Admin\AppData\Roaming\7A50A
  2⤵
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\da5e63e1b126dfd4990b891845a18ea7_JaffaCakes118.exe startC:\Program Files (x86)\0AD55\lvvm.exe%C:\Program Files (x86)\0AD55
  2⤵
  PID:3900
- C:\Program Files (x86)\LP\4897\E2AF.tmp
  "C:\Program Files (x86)\LP\4897\E2AF.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
PID:2272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\4897\E2AF.tmp

Filesize
96KB

MD5
95fd9f7a57aa12c44a0c97428c0181a9

SHA1
e379a1985d6267a95ebb97df650d64771dcd77b5

SHA256
f82e774ac4f906a9b0fd30d41c34b1ee90c0c9e809bf4bf66cd56a3439deccb6

SHA512
07ff5c98b8507cca93725091450997140cbb5808e245ccaeeba70ba162d8340b4977ba98230cd81902d2558edb8df484c5aed799387490cba316439f96b15737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
5c1da987709609d2480799503a01ccb4

SHA1
ea12b6e8c678022221842776db72ff159ed7a6e0

SHA256
f478e9a09215aa0060cfa6d70fe15e2013990f9c9726edc8a192927791260404

SHA512
8a9b0b9f67cb3fae72f892e537d2c272196659abc99c541381f39a7fa958df838aeefc4160cb26bc6003543bc1e74305554e1bbf528c2043d631661d7b301b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
1ec363fca6d27feba5651e3f42931453

SHA1
d688be1263a734e7890930f29567cb5526ec5921

SHA256
e2f7f54e361f47f75d385b80f7eed303cfca40c4f12b9be01d6bb09c1ff99a41

SHA512
0b77f641046ee6120fccda72c723f17dd7bb6b614f130dc6f1bb8539f4dc40f80212c52a08a1e0c4b0046cfad16f0f6e5e5aa8cf73b9c2fea58983a07fd1a105

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
01d2aa3f564a258d11ef5285a6f5a7b1

SHA1
f6584826b0e2a1df7c2830da2ede9b0d089809bf

SHA256
27c7c816d09b42f3adbc3019e5f9b58a227c6f9b22007f835be5afb3cad4accb

SHA512
de84d183e76eec2cbbf32fc345585bbccf2a8dd8ad175e0c2695979961ed51eb949f6308f63b13dd1c10d0e6573e41111e1b258f84e8e20adadb30379dcc1880

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133705321173907663.txt

Filesize
75KB

MD5
263960904fcb1c46cc216bd860eb0240

SHA1
57b1f6a4dceb07eebc008d41f4b21c3aa1d554e4

SHA256
bf9f2ea1d49864a9c1dfe096dbcfd1e1f262e6223615bf8cc4ec786f19b37c28

SHA512
5b52d8b705cc043a7802d918500601e05f1e676752864daecdb7515ba2603e8840d2bb384a710fd85803a5cb72c80cc1e9655407627bd9e6715f905215f1ca8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RMU4N5WP\microsoft.windows[1].xml

Filesize
97B

MD5
1e30d8c8ef07e3c98200641a90d1ae95

SHA1
b8e86446e5ff4d10984af769b912d8d34313da54

SHA256
0d0b29673b1fcaea71df3130c5c5cf31a8f8bbd16b60f9861b4a42665c934493

SHA512
bc0ca2e71bcc7f3680c683f91a87204d614f4bac56750619f449194f6aa69d983f526b4f73a5fed083ad56d648dfcce3a80c25b93fd07e76b616f14b219b6f04

Download Submit
C:\Users\Admin\AppData\Roaming\7A50A\AD55.A50

Filesize
1KB

MD5
6314cb9eddd291df927bb969968e9bbc

SHA1
2dbea6fd6c1f506fc998c0b1fa0824ec92274883

SHA256
7b81df4717422aa356e1bc51835f2aa03d4dff28575578b436f4bdadb00e4372

SHA512
884994fcfb0ca83da3c947a35478dbe661854463a22eb4ab20e354d5c054722599f0b602439fa8a86489a1c65e18171dded022a59db5f4338b14e9ad2391775f

Download Submit
C:\Users\Admin\AppData\Roaming\7A50A\AD55.A50

Filesize
1KB

MD5
4d388916e4125a88a6678b8b053fe57a

SHA1
7dc9fe9e8fba39cb5712f2b16f49d1f3156799e7

SHA256
9ee0dc7806f15feb5f4d671d9372bdef0bfdae0c280f1f711592c6b808da4744

SHA512
f1254cf7e7011e1656254e816a24b0fdf09cb8894cd041751c92456714451b9fe41f2482e76c7e40fcfaa61a2c179384e30ef73777377d3cb803c3e4068cb6a4

Download Submit
C:\Users\Admin\AppData\Roaming\7A50A\AD55.A50

Filesize
600B

MD5
d796a740b260f55b9aad0f317554ffe3

SHA1
15d6956cccef8f77ccba3acd363237b21d984a0a

SHA256
f0c80e3963bc14a5e30cf93ff5eb566a472c1e283259ce74a64cede61f6af5d3

SHA512
9311729def4a3c5b6ad3cbf07ba07d2c0a588039fdc8ad414ee120dae9348e6a16e2e8f2cc16bf08c3f6afe28403f7df4104816de9a940c4261ed6d0d5d30d03

Download Submit
C:\Users\Admin\AppData\Roaming\7A50A\AD55.A50

Filesize
996B

MD5
a23620d95e924c8bcb4b6cbf0bec7306

SHA1
d18c7b8c8ef767d07cbdd8d4b472ab4774072f98

SHA256
dddbbf7ff48418beb679a9c4079d4c66aa4b03defc3e2f0d13299321d988fbe6

SHA512
732b32892928f695d7a7c57fd378a8f9fe7fd69879ca5e2d54e730c76861aa869cad0771c6f2bba71c67baee661dd704a66f376cfecfb3775fc3bb785fbc9ff2

Download Submit
memory/744-200-0x000001C982D00000-0x000001C982E00000-memory.dmp

Filesize
1024KB

Download
memory/744-211-0x000001C983AA0000-0x000001C983AC0000-memory.dmp

Filesize
128KB

Download
memory/744-225-0x000001C9840C0000-0x000001C9840E0000-memory.dmp

Filesize
128KB

Download
memory/744-204-0x000001C983AE0000-0x000001C983B00000-memory.dmp

Filesize
128KB

Download
memory/744-199-0x000001C982D00000-0x000001C982E00000-memory.dmp

Filesize
1024KB

Download
memory/1036-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1036-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1036-9-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1312-350-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1740-750-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2356-197-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3492-160-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3492-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3492-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3492-77-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3492-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3492-1051-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3492-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3760-929-0x000001EA505E0000-0x000001EA50600000-memory.dmp

Filesize
128KB

Download
memory/3760-917-0x000001EA4FFD0000-0x000001EA4FFF0000-memory.dmp

Filesize
128KB

Download
memory/3760-903-0x000001EA4F100000-0x000001EA4F200000-memory.dmp

Filesize
1024KB

Download
memory/3760-907-0x000001EA50220000-0x000001EA50240000-memory.dmp

Filesize
128KB

Download
memory/3760-904-0x000001EA4F100000-0x000001EA4F200000-memory.dmp

Filesize
1024KB

Download
memory/3760-902-0x000001EA4F100000-0x000001EA4F200000-memory.dmp

Filesize
1024KB

Download
memory/3856-353-0x000001CE38100000-0x000001CE38200000-memory.dmp

Filesize
1024KB

Download
memory/3856-367-0x000001CE39220000-0x000001CE39240000-memory.dmp

Filesize
128KB

Download
memory/3856-354-0x000001CE38100000-0x000001CE38200000-memory.dmp

Filesize
1024KB

Download
memory/3856-357-0x000001CE39260000-0x000001CE39280000-memory.dmp

Filesize
128KB

Download
memory/3856-352-0x000001CE38100000-0x000001CE38200000-memory.dmp

Filesize
1024KB

Download
memory/3856-382-0x000001CE39620000-0x000001CE39640000-memory.dmp

Filesize
128KB

Download
memory/3900-74-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3900-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4192-636-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4520-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-652-0x000001EDEA3C0000-0x000001EDEA3E0000-memory.dmp

Filesize
128KB

Download
memory/4580-643-0x000001EDEA600000-0x000001EDEA620000-memory.dmp

Filesize
128KB

Download
memory/4580-639-0x000001E5E9100000-0x000001E5E9200000-memory.dmp

Filesize
1024KB

Download
memory/4580-675-0x000001EDEA9D0000-0x000001EDEA9F0000-memory.dmp

Filesize
128KB

Download
memory/4672-757-0x0000021056330000-0x0000021056350000-memory.dmp

Filesize
128KB

Download
memory/4672-753-0x0000021055400000-0x0000021055500000-memory.dmp

Filesize
1024KB

Download
memory/4672-769-0x00000210562F0000-0x0000021056310000-memory.dmp

Filesize
128KB

Download
memory/4672-789-0x0000021056900000-0x0000021056920000-memory.dmp

Filesize
128KB

Download
memory/4672-752-0x0000021055400000-0x0000021055500000-memory.dmp

Filesize
1024KB

Download
memory/4672-754-0x0000021055400000-0x0000021055500000-memory.dmp

Filesize
1024KB

Download
memory/4912-496-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/5112-504-0x000001D5C37E0000-0x000001D5C3800000-memory.dmp

Filesize
128KB

Download
memory/5112-530-0x000001D5C3BB0000-0x000001D5C3BD0000-memory.dmp

Filesize
128KB

Download
memory/5112-515-0x000001D5C37A0000-0x000001D5C37C0000-memory.dmp

Filesize
128KB

Download