5fad4bfd723fec95c1bf2427014bfff853d92aab283e8411af08a598a2e86590

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
Size

484KB
MD5

7046c23f48f52b97038e69e782044cbd
SHA1

e3e20833e358a5db26d3393f29e3eb8665aea9aa
SHA256

5fad4bfd723fec95c1bf2427014bfff853d92aab283e8411af08a598a2e86590
SHA512

2694e9b94f99d0e350427fd89408aef3ebd4c4ff656669d7599aca491aaf6547f14da11593d4c6b4bfe9bf22a3ec29abb484891356f169e20cbc6a5aff0ac4ba
SSDEEP

12288:5P9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:5PoBHch+uudKNffiv1aVSaPTeO

Score

10^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	V6oUpCF0mC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	naoeyeq.exe

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	V6oUpCF0mC.exe
2684	naoeyeq.exe
1208	ayhost.exe
1068	ayhost.exe
2908	byhost.exe
2324	byhost.exe
588	cyhost.exe
336	csrss.exe
2128	cyhost.exe
3000	cyhost.exe
2712	dyhost.exe

Loads dropped DLL 14 IoCs

pid	Process
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2756	V6oUpCF0mC.exe
2756	V6oUpCF0mC.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
588	cyhost.exe
2360	DllHost.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-9-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2320-6-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2320-15-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2320-14-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2320-12-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2320-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2128-134-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2320-142-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/3000-206-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/588-207-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2320-338-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	cyhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /j"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /l"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /f"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /S"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /V"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /J"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /B"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /a"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /d"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /z"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /P"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /G"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Q"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /c"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /N"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /n"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /C"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /r"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /L"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /k"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /b"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /q"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /H"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /o"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /T"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /v"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /i"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /g"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /y"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Z"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /E"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /M"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /F"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /U"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /A"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /I"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /x"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /D"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /p"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /W"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /O"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /Y"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /K"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /X"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /R"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /m"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /t"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /w"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /i"	V6oUpCF0mC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /h"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /u"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /e"	naoeyeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoeyeq = "C:\\Users\\Admin\\naoeyeq.exe /s"	naoeyeq.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2956	tasklist.exe
2732	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 1208 set thread context of 1068	1208	ayhost.exe	38
PID 2908 set thread context of 2324	2908	byhost.exe	40
PID 2324 set thread context of 2940	2324	byhost.exe	41

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	cyhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	naoeyeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V6oUpCF0mC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\cid = "1820034458396508756"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	V6oUpCF0mC.exe
2756	V6oUpCF0mC.exe
1068	ayhost.exe
2684	naoeyeq.exe
2940	explorer.exe
2940	explorer.exe
2940	explorer.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
1068	ayhost.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
2684	naoeyeq.exe
1068	ayhost.exe
1068	ayhost.exe
1068	ayhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	tasklist.exe
Token: SeDebugPrivilege	2940	explorer.exe
Token: SeDebugPrivilege	2732	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
2756	V6oUpCF0mC.exe
2684	naoeyeq.exe
1208	ayhost.exe
2908	byhost.exe
2712	dyhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2320	2132	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2756	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2756	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2756	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2756	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2684	2756	V6oUpCF0mC.exe	32
PID 2756 wrote to memory of 2684	2756	V6oUpCF0mC.exe	32
PID 2756 wrote to memory of 2684	2756	V6oUpCF0mC.exe	32
PID 2756 wrote to memory of 2684	2756	V6oUpCF0mC.exe	32
PID 2756 wrote to memory of 2552	2756	V6oUpCF0mC.exe	33
PID 2756 wrote to memory of 2552	2756	V6oUpCF0mC.exe	33
PID 2756 wrote to memory of 2552	2756	V6oUpCF0mC.exe	33
PID 2756 wrote to memory of 2552	2756	V6oUpCF0mC.exe	33
PID 2552 wrote to memory of 2956	2552	cmd.exe	35
PID 2552 wrote to memory of 2956	2552	cmd.exe	35
PID 2552 wrote to memory of 2956	2552	cmd.exe	35
PID 2552 wrote to memory of 2956	2552	cmd.exe	35
PID 2320 wrote to memory of 1208	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1208	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1208	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1208	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	37
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 1208 wrote to memory of 1068	1208	ayhost.exe	38
PID 2320 wrote to memory of 2908	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	39
PID 2320 wrote to memory of 2908	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	39
PID 2320 wrote to memory of 2908	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	39
PID 2320 wrote to memory of 2908	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	39
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2908 wrote to memory of 2324	2908	byhost.exe	40
PID 2324 wrote to memory of 2940	2324	byhost.exe	41
PID 2324 wrote to memory of 2940	2324	byhost.exe	41
PID 2324 wrote to memory of 2940	2324	byhost.exe	41
PID 2324 wrote to memory of 2940	2324	byhost.exe	41
PID 2324 wrote to memory of 2940	2324	byhost.exe	41
PID 2320 wrote to memory of 588	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	42
PID 2320 wrote to memory of 588	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	42
PID 2320 wrote to memory of 588	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	42
PID 2320 wrote to memory of 588	2320	7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe	42
PID 2940 wrote to memory of 336	2940	explorer.exe	2
PID 588 wrote to memory of 2128	588	cyhost.exe	43

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336

C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\V6oUpCF0mC.exe
    C:\Users\Admin\V6oUpCF0mC.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\naoeyeq.exe
      "C:\Users\Admin\naoeyeq.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
- - C:\Users\Admin\ayhost.exe
    C:\Users\Admin\ayhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\ayhost.exe
      "C:\Users\Admin\ayhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1068
- - C:\Users\Admin\byhost.exe
    C:\Users\Admin\byhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\byhost.exe
      "C:\Users\Admin\byhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\explorer.exe
        
        0000003C*
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
- - C:\Users\Admin\cyhost.exe
    C:\Users\Admin\cyhost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3000
- - C:\Users\Admin\dyhost.exe
    C:\Users\Admin\dyhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 7046c23f48f52b97038e69e782044cbd_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1632
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\02E7.7D7

Filesize
600B

MD5
a3eec1763e0048a9136cf571dc18f086

SHA1
d8997a780e7764daaa84ae443045ffa25e6f5d09

SHA256
f51d81ff252c5c1d78fe3ca86a80f29a4dfe2a275294a3b45715836c9620be29

SHA512
198049f3920465f37c24aa80cf7819651d6963c65fe632a5852ba72cf87c3361276e3a767158b3e54f16969b172bd89433594848ae382f0cea3652e0be34b23d

Download Submit
C:\Users\Admin\AppData\Roaming\02E7.7D7

Filesize
996B

MD5
8c3ff6906b9cfdaf86629ba47fea6a14

SHA1
50a0d0e1c18ed636c23900cf7d41b0ae5a67e313

SHA256
7b5366f578f4228ab9f42d83eb06b4659ddbd15e9e722ef5b9ebedd1e8e77517

SHA512
d3d1eef96a9b04095ce11945b3bd8a7b81c7bf0698d13f908f01aae610118527792e8b8d04e50e86308853d4fd7a57770656c56d7f220f50df0f76328bfea2e6

Download Submit
C:\Users\Admin\AppData\Roaming\02E7.7D7

Filesize
1KB

MD5
e48dd849acf1d7d809b3efd92d4340bd

SHA1
036210d5ed2a988a64a884f1fadd838a2c737333

SHA256
241ca57ec1659a6337d8af7f97bd76a86387a0b5542e4ddb5bb4f18def57fb52

SHA512
0002d3ba2e1cddf2b1f7366b2cf1caebd3824acd616a70a3ce80b08ce9bdf4ee9f925135bbbd05b55d2452e29be95162f69ac73355fcfdeef38dee9ac47960a5

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
53KB

MD5
68689b2e7472e2cfb3f39da8a59505d9

SHA1
5be15784ab1193dc13ac24ec1efcabded5fe2df4

SHA256
f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

SHA512
269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

Download Submit
\Users\Admin\V6oUpCF0mC.exe

Filesize
332KB

MD5
b96dc0230580570446ab648e20a7e3b3

SHA1
27483df87ef7093d51062fb2d2fc9944f94c23fb

SHA256
2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

SHA512
b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

Download Submit
\Users\Admin\ayhost.exe

Filesize
68KB

MD5
2c7c2d4e9c03a1818621def0e1281a81

SHA1
c92b29a7f6e9998c7a86b9b57cff15f28647a127

SHA256
9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

SHA512
431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

Download Submit
\Users\Admin\byhost.exe

Filesize
136KB

MD5
1d0f81b6e185ec95e716d2a0b2ba69a1

SHA1
09399ffa69ae8bfd9794104bc4b7b4f481980e3a

SHA256
abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

SHA512
6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

Download Submit
\Users\Admin\cyhost.exe

Filesize
168KB

MD5
234bf3937f8fe09351acc53c059b40d2

SHA1
256f162b65eacc7a1fee35722fbfdbd55bba93c7

SHA256
86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

SHA512
6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

Download Submit
\Users\Admin\dyhost.exe

Filesize
24KB

MD5
9814ec05c8857737f599ba75b1610fb1

SHA1
aa9d9b016c2feda03cf6ad1bbca332070eb9b295

SHA256
a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

SHA512
c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

Download Submit
\Users\Admin\naoeyeq.exe

Filesize
332KB

MD5
a2e4bc084dbbd56769e8297b59dc2932

SHA1
82036d17e169a920b9f048661718f16739c3b267

SHA256
f962490a4894b49f016339c0f773073bb6030897772ddb7ac8d1408737d26f87

SHA512
1e557af983e41b7905ca09d8b087d569765ee23e923554aed0d44b9560252bfa83290f4350612a9a59af5e8683081e5e791d0c47437f0c2a839f07fe78af02af

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
ff7d5ec20bf73c02317e7a740fffe018

SHA1
365ac8cfe5b939854cc1c341caf051bcc45f9372

SHA256
1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

SHA512
30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
3e7a118b119428247edfc5d5ef3761bc

SHA1
140e4cb00107678160411f016c4c17611580a209

SHA256
97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

SHA512
b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

Download Submit
memory/336-122-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/588-207-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1068-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1068-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2128-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2320-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-15-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-14-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-142-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-338-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2320-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2324-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2940-97-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/2940-102-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/2940-107-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/3000-206-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download