f4c88afedcd39ddc4fffc9de1da87a17da6bdd4af6332f9eace560ad4f7f9cbf

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Size

97KB
MD5

fb568481fb808dcbea29f7a12e124bc9
SHA1

489bc6b83f86e3233be44d17d2c02674aba20884
SHA256

f4c88afedcd39ddc4fffc9de1da87a17da6bdd4af6332f9eace560ad4f7f9cbf
SHA512

d39bbce5d891b78c79dc48e14bc174a4d842a4763dbc69849341e7e5571bec244554d5a351b22d9e5fdc6bf03ec49d375f40a8252116cc6ebcc81db22411be7a
SSDEEP

1536:5v/MoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11TvbRMoOJ:R/xOMUMPsgQvTMY+PhGGR/11TlxOJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\""	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	m4623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	qm4623.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\""	csrss.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qm4623.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	csrss.exe

Executes dropped EXE 7 IoCs

pid	Process
2588	smss.exe
2456	winlogon.exe
1360	services.exe
1592	csrss.exe
1816	lsass.exe
2196	qm4623.exe
1444	m4623.exe

Loads dropped DLL 14 IoCs

pid	Process
2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
2588	smss.exe
2588	smss.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	qm4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\""	m4623.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c_26742k.com	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	services.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	csrss.exe
File created	C:\Windows\SysWOW64\s4827\brdom.bat	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File created	C:\Windows\SysWOW64\s4827\getdomlist.txt	cmd.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s4827\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	m4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	services.exe
File created	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\s4827\m4623.exe	winlogon.exe
File created	C:\Windows\SysWOW64\c_26742k.com	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\domlist.txt	lsass.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\getdomlist.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\brdom.bat	lsass.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	m4623.exe
File opened for modification	C:\Windows\SysWOW64\c_26742k.com	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\c.bron.tok.txt	lsass.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\o4267427.exe	winlogon.exe
File opened for modification	C:\Windows\Ad10218	winlogon.exe
File opened for modification	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File opened for modification	C:\Windows\j6267422.exe	csrss.exe
File opened for modification	C:\Windows\o4267427.exe	csrss.exe
File opened for modification	C:\Windows\_default26742.pif	qm4623.exe
File opened for modification	C:\Windows\_default26742.pif	m4623.exe
File opened for modification	C:\Windows\o4267427.exe	smss.exe
File opened for modification	C:\Windows\_default26742.pif	winlogon.exe
File created	C:\Windows\j6267422.exe	qm4623.exe
File opened for modification	C:\Windows\_default26742.pif	lsass.exe
File opened for modification	C:\Windows\j6267422.exe	winlogon.exe
File opened for modification	C:\Windows\j6267422.exe	lsass.exe
File opened for modification	C:\Windows\o4267427.exe	lsass.exe
File opened for modification	C:\Windows\o4267427.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\j6267422.exe	smss.exe
File opened for modification	C:\Windows\o4267427.exe	m4623.exe
File opened for modification	C:\Windows\_default26742.pif	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\o4267427.exe	services.exe
File opened for modification	C:\Windows\j6267422.exe	m4623.exe
File created	C:\Windows\o4267427.exe	qm4623.exe
File created	C:\Windows\j6267422.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File created	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File opened for modification	C:\Windows\j6267422.exe	qm4623.exe
File opened for modification	C:\Windows\_default26742.pif	csrss.exe
File created	C:\Windows\o4267427.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File created	C:\Windows\_default26742.pif	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
File opened for modification	C:\Windows\_default26742.pif	smss.exe
File opened for modification	C:\Windows\j6267422.exe	services.exe
File opened for modification	C:\Windows\_default26742.pif	services.exe
File opened for modification	C:\Windows\o4267427.exe	qm4623.exe
File created	C:\Windows\o4267427.exe	lsass.exe
File opened for modification	C:\Windows\j6267422.exe	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
576	net.exe
2928	net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe
2456	winlogon.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2588	2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2588	2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2588	2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2588	2072	fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe	29
PID 2588 wrote to memory of 2456	2588	smss.exe	31
PID 2588 wrote to memory of 2456	2588	smss.exe	31
PID 2588 wrote to memory of 2456	2588	smss.exe	31
PID 2588 wrote to memory of 2456	2588	smss.exe	31
PID 2456 wrote to memory of 1360	2456	winlogon.exe	33
PID 2456 wrote to memory of 1360	2456	winlogon.exe	33
PID 2456 wrote to memory of 1360	2456	winlogon.exe	33
PID 2456 wrote to memory of 1360	2456	winlogon.exe	33
PID 2456 wrote to memory of 1592	2456	winlogon.exe	35
PID 2456 wrote to memory of 1592	2456	winlogon.exe	35
PID 2456 wrote to memory of 1592	2456	winlogon.exe	35
PID 2456 wrote to memory of 1592	2456	winlogon.exe	35
PID 2456 wrote to memory of 1816	2456	winlogon.exe	37
PID 2456 wrote to memory of 1816	2456	winlogon.exe	37
PID 2456 wrote to memory of 1816	2456	winlogon.exe	37
PID 2456 wrote to memory of 1816	2456	winlogon.exe	37
PID 2456 wrote to memory of 2196	2456	winlogon.exe	38
PID 2456 wrote to memory of 2196	2456	winlogon.exe	38
PID 2456 wrote to memory of 2196	2456	winlogon.exe	38
PID 2456 wrote to memory of 2196	2456	winlogon.exe	38
PID 2456 wrote to memory of 1444	2456	winlogon.exe	41
PID 2456 wrote to memory of 1444	2456	winlogon.exe	41
PID 2456 wrote to memory of 1444	2456	winlogon.exe	41
PID 2456 wrote to memory of 1444	2456	winlogon.exe	41
PID 2456 wrote to memory of 456	2456	winlogon.exe	43
PID 2456 wrote to memory of 456	2456	winlogon.exe	43
PID 2456 wrote to memory of 456	2456	winlogon.exe	43
PID 2456 wrote to memory of 456	2456	winlogon.exe	43
PID 2456 wrote to memory of 2960	2456	winlogon.exe	45
PID 2456 wrote to memory of 2960	2456	winlogon.exe	45
PID 2456 wrote to memory of 2960	2456	winlogon.exe	45
PID 2456 wrote to memory of 2960	2456	winlogon.exe	45
PID 2456 wrote to memory of 1704	2456	winlogon.exe	47
PID 2456 wrote to memory of 1704	2456	winlogon.exe	47
PID 2456 wrote to memory of 1704	2456	winlogon.exe	47
PID 2456 wrote to memory of 1704	2456	winlogon.exe	47
PID 1816 wrote to memory of 624	1816	lsass.exe	49
PID 1816 wrote to memory of 624	1816	lsass.exe	49
PID 1816 wrote to memory of 624	1816	lsass.exe	49
PID 1816 wrote to memory of 624	1816	lsass.exe	49
PID 624 wrote to memory of 576	624	cmd.exe	51
PID 624 wrote to memory of 576	624	cmd.exe	51
PID 624 wrote to memory of 576	624	cmd.exe	51
PID 624 wrote to memory of 576	624	cmd.exe	51
PID 1816 wrote to memory of 1156	1816	lsass.exe	52
PID 1816 wrote to memory of 1156	1816	lsass.exe	52
PID 1816 wrote to memory of 1156	1816	lsass.exe	52
PID 1816 wrote to memory of 1156	1816	lsass.exe	52
PID 1156 wrote to memory of 2928	1156	cmd.exe	54
PID 1156 wrote to memory of 2928	1156	cmd.exe	54
PID 1156 wrote to memory of 2928	1156	cmd.exe	54
PID 1156 wrote to memory of 2928	1156	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb568481fb808dcbea29f7a12e124bc9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\s4827\smss.exe
  "C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\s4827\winlogon.exe
    "C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\s4827\services.exe
      "C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1360
  - - C:\Windows\SysWOW64\s4827\csrss.exe
      "C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1592
  - - C:\Windows\SysWOW64\s4827\lsass.exe
      "C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain
        6⤵
        Discovers systems in the same network
        
        PID:576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\system32\s4827\brdom.bat" "
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain:WORKGROUP
        6⤵
        Discovers systems in the same network
        
        PID:2928
  - - C:\Windows\Ad10218\qm4623.exe
      "C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2196
  - - C:\Windows\SysWOW64\s4827\m4623.exe
      "C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1444
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" /delete /y
      4⤵
      PID:456
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\c_26742k.com

Filesize
97KB

MD5
fb568481fb808dcbea29f7a12e124bc9

SHA1
489bc6b83f86e3233be44d17d2c02674aba20884

SHA256
f4c88afedcd39ddc4fffc9de1da87a17da6bdd4af6332f9eace560ad4f7f9cbf

SHA512
d39bbce5d891b78c79dc48e14bc174a4d842a4763dbc69849341e7e5571bec244554d5a351b22d9e5fdc6bf03ec49d375f40a8252116cc6ebcc81db22411be7a

Download Submit
C:\Windows\SysWOW64\s4827\brdom.bat

Filesize
73B

MD5
6fc63a266767a5de3cc18f2b7ac5a703

SHA1
d23d7f8b213e9a311e37d058499502bd207c448e

SHA256
3d08ce4422af041981e6e9b0c55bceeaac098940c5e37f459fa22eb472390812

SHA512
ee6b97e09d1a1de916771143235e545cccfab6d22d2355d5c7994a0c9aafcfd640bf78cbd19570dace378e4c1b8b784278c41c80d45a62ac60c75e944110976c

Download Submit
C:\Windows\SysWOW64\s4827\m4623.exe

Filesize
97KB

MD5
7174d43410688c99cd8497280ec75f49

SHA1
d7d269ae635733e7b0b1b45379530f497dad36e4

SHA256
9203878797980ce20cce929cffa8690c00ff86f0a577bf4c0dbc6872962c6f42

SHA512
6d59e8afe451f60445d511954e86af009798d2ddf0ef781efc9cdc0ad562e560ca66f92073f0a4a287ddfc82f322ab338ef40abfd25778b57b61bbefad1c572a

Download Submit
C:\Windows\SysWOW64\s4827\winlogon.exe

Filesize
97KB

MD5
de6b9cfa63c0a2cd0bd1a5338e05877e

SHA1
d23b15731119355de3b71ba51807a0b14f86e86d

SHA256
776a052009a5a4fa052289e661b8daec880d869472ffe25f52527a3ec9737ac7

SHA512
d4b29f355f08010748730cfbb3ddf204e14388d190d2bb2b2c7ab8cc167dd4c100c7a00d5cdccd346a66ff8b2af59255ca87b110dfbff86df737f064b05d7415

Download Submit
\Windows\Ad10218\qm4623.exe

Filesize
97KB

MD5
6e16a3d581a564a5d67996f4edbfe316

SHA1
feb6e78eac537b039e0e3287e6bc01a38c12fafe

SHA256
3c06392226a7fa18739b44c8b27142dac48123b74b98aea20abb66c02aa6c98d

SHA512
51f3e42e67c52361101844f66d453beb40e59489229971308a9835d259bbf69ba090437152031639ed4e57af4449bc1df24a2af05aa1b2b2e56fb03475c5911a

Download Submit
\Windows\SysWOW64\s4827\lsass.exe

Filesize
97KB

MD5
1d33500b37f027f7e839c7636d0af863

SHA1
dbfab02e91a9fe9c59205935dbb08d77ea849968

SHA256
823e076d5bae11883e7db0ded89defe90275b7cd085bf337930076cac5d4af24

SHA512
eddf55cb24e1462a475fdeb21ac6314438bd3c4a56ac39db2978a9811f88765ed81c841be9fa770d7466c5b071872fbbcbc1a959ab4d14e36645d13697f23cce

Download Submit
memory/1444-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1816-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2072-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2456-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download