gandcrab | 2f7c6195415c8d32bbf266557f2e31b945204713487644c46328160d1e730337

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
14/12/2023, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

218KB
MD5

b29bfe0978cdeab5a09b8ab31eadbaf1
SHA1

9c930ee306446556d22b5469a8c5943a56e7197f
SHA256

2f022dacd013c10da72759a20cf7392637460f983d59631ebf636328d0f977ee
SHA512

7f721aa07a073117575e7fe4cd10228f2da1c31ef6df32fbf0722577616998d476aef415f7b29be7ddd0384270f4c66f8021ac06da469799ebe739e6f667d71b
SSDEEP

3072:/SAzTSCFUvN/0Lz/2rir+HrBNBB50FO+7Vcx8BBjlIGOPA2EeHOz3ctJ:6MFUaP/2ZVzJ+Jcx8xN2EEOzct

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1514849007-2165033493-4114354048-1000\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5d5212de55099b66 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGXK5T9dtzGtcFfz9k4tKnXf0RD6dbi/AeAiF3qcGRy5oALUGrReib98Vj8Dm/wUR9x6amCER7kmKLXaljukn6edEDoU978BLFr4Obz3grQ8LaHvAcop3s9ZyyJl91BkCnEJuUjl9mAnUG/1+gGeZmOAXH0rrEAKrGft7csFxdN+7Cqn1eKEaOK1jdzlYmgviVdEo3cdeEf0tIqkJ+ydgIsluvLHR6G4IxuC+Z/75j4A7lY8dG8VxuZRPRfhT1VFxTJD8UZ2zpBqqfFCEWCPSi10XfHC82sAGVty4gR/mX1BtpamMUijzqCyrg78NHjlDNK9VJs+jjaMhY16FqHSlrpvkmfOKocsucPm3O6wIQCvfsLMG1WeKBooWLPqvegS9z6AWXQAPVPPHMrkRxjtPb31bUT2HSuZ+RcHMG7fDyXP8Nc4DQ/sJlPEekvZ3lrJ5Fp8rBf9ZatwffzNGa+UUkHCyn+kDdwD8CBMVJmW/OjOEIgQwSKxTigC9fjGZ7NKZX+6KBBYoDyzBeOu/2K57B3ypc9BgJIcv2cGK8P3rAU324AcRVYyp1YBpa3QLRj20FgTngeTk8tc9fn/eTyq0EHVyMsu3ePXEdxT88JKFmJerelDsrmilW4+3ythiG5K3vBnYnd2N+Z1ljbT72nc6c2B93X7BfWajQfyepbBO0p1BDqTYKvNDTDFcmh0MEwKp+JibknLMX+bEyDQBKR3sn9XGLpHJRqlc/33ELZTBawxZ4M2AV3WlIAZAVKMyOjdpSJCQEJBRrr38j16oYD2TcZ8PItjTD9NyNCEtVUjoYT9Jd5yFTg42Ixys22TqT08rRL+jBoyDqqG6CLD6DWcto4obzRVyLpsO6rBhRXtMaZBbGksDMhLxMJPy8p4DP6pAOb4eFeCEGHUx3hM+D7Z6n3fVqFX4EdXlHGdy55XDON08p47i2qOpvWHARjJEKYD9wcIyyKVqHWlBqa9jCX+jRUuOrksXg1LrrzVmgU6XtEEAG8UL/9IEfu1IXf1uWUXFFi6bimJhDBrZg3ypqXLtCOAXIyUFc2dswpadkOVv8w73Q7jFXdrcr3OKeuUEPrrUNcvgCgL8qKlwm/OKCVarD/9QBbSsRSyXVtl62MAXl3+xROCf87WhfEsv0wIn1m1uphG0kErKZ104YBTAyWUn77wCO5rjmUe77m3VVMbA3fguPhsntsLCzcD4X1AFd0g1EmJhU4TF285EKAOP5lA0Pd6kVS+sUpUhipLtNntnnFIVpcFN1cDJwKtEAKP9c1TOQN7LGim2FEGbj6D6MnItDTKZuU4K1Dq9LzNyxvIsdRDX5ayvjIvnuUV1MwCQDUmsgEIspXANGRCLc4s/nB9RYRdqXDo9+3791E8KqkqJMRrOxtWEJb4lkU23hWe/NR4ckpzftWTCs1jqUnh1b6BOcxBSh9IF784SjQ56a1ZkE7TG4nXmSfBIiSNqAyscbrsAoRBr+Va0fLTez14rsnHXZt6gwuUdkSKa187cbHsJQl7yxDFtn4j/vUPsxrTqoydXZdA7AnvCpoIlNzIuVKSqZhndiJg4nJiOPkNZy1ywSUc3OoJ+DMTlnqY8ZFvIn29jjCDOOklJuErjd/jbHicB8eHB6rooezwEGCZmYvffkKu909QLVORIjo3AiSajLs64o4Hp6fAe9xFoWZub3omA4O3+QrvZnQ6I62SzGAQqHEMJDfw/XhSpGODx7kAIYCAQDggdoplC44V32idFl7vbpJNMWq3+1QS6O0UA/EjRO0y9kKu5yJA5e3rfwV57HJvlaX+QCm7dx+ux6zxi8pGiqV+4nO+S3QaElnrPhV1ZL/HigXgLn8r+/GhHgR0oYDBMyLpbyU81wF1EAjUEIVwvF4BYGt4mBCuI4kWr3AK6YvGSohXvhgv9AZhZOeMhaIwxAABcJ7e19b4v2zvvY8VeaKO77iZRP943/S5OgohgHnRmbJAGU+ckUYKC8zE9fMl7ItNrGV6Q/iBVAkWZQHOLZrLUiCLWzl0HS9oZfavB9mh26cfDJKOz8YCEhwNY38ZKA4HzoKap5+fT2WMpQZvhWmmLun4mFWltr390g+Q/eJhZ5AvuEV7jXpHt3puDtYMbvrHX0gjwYfyoy2RFNS27fuVql+VoBzHyaUHmZ/z2FtVF7tTSj1uf0I1zSz8cFM1Hqc1V1tlVcid9eygp4h+lhJH2+AmUYbQ0GAfyc5ENhUV6/7Ka6WMsqxsS7eVo0mKZF1WiDI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZZTphRvXYd7npWobfYTGCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5rEmkU3B4uKl/2Q2RetzGt5YaVqDBi7tpBGEEd8bpycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pCBFK3vDLNeah1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH0HpoOar+NRZwP9okRV/rusrPFzMX9P3YBh9gzrewdRb9tHf+DbmDW4OIcXpReLdQq9FxhO1LL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/5d5212de55099b66

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	putty.exe
File opened (read-only)	\??\Z:	putty.exe
File opened (read-only)	\??\B:	putty.exe
File opened (read-only)	\??\J:	putty.exe
File opened (read-only)	\??\S:	putty.exe
File opened (read-only)	\??\X:	putty.exe
File opened (read-only)	\??\O:	putty.exe
File opened (read-only)	\??\R:	putty.exe
File opened (read-only)	\??\U:	putty.exe
File opened (read-only)	\??\T:	putty.exe
File opened (read-only)	\??\K:	putty.exe
File opened (read-only)	\??\M:	putty.exe
File opened (read-only)	\??\N:	putty.exe
File opened (read-only)	\??\P:	putty.exe
File opened (read-only)	\??\I:	putty.exe
File opened (read-only)	\??\L:	putty.exe
File opened (read-only)	\??\Q:	putty.exe
File opened (read-only)	\??\V:	putty.exe
File opened (read-only)	\??\A:	putty.exe
File opened (read-only)	\??\E:	putty.exe
File opened (read-only)	\??\G:	putty.exe
File opened (read-only)	\??\H:	putty.exe
File opened (read-only)	\??\W:	putty.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MeasureUse.wpl	putty.exe
File opened for modification	C:\Program Files\NewExport.mhtml	putty.exe
File opened for modification	C:\Program Files\ProtectBlock.mhtml	putty.exe
File opened for modification	C:\Program Files\AddPing.png	putty.exe
File opened for modification	C:\Program Files\ConnectGet.pot	putty.exe
File opened for modification	C:\Program Files\DebugRequest.dib	putty.exe
File opened for modification	C:\Program Files\MeasureRequest.contact	putty.exe
File opened for modification	C:\Program Files\InitializeGet.wmx	putty.exe
File opened for modification	C:\Program Files\ResolveWait.contact	putty.exe
File opened for modification	C:\Program Files\StartComplete.png	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt	putty.exe
File opened for modification	C:\Program Files\SplitClear.bmp	putty.exe
File opened for modification	C:\Program Files\SplitEnter.scf	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\55099c8455099b6c36.lock	putty.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	putty.exe
File opened for modification	C:\Program Files\DisconnectDisable.doc	putty.exe
File opened for modification	C:\Program Files\RequestPublish.easmx	putty.exe
File opened for modification	C:\Program Files\CloseHide.txt	putty.exe
File opened for modification	C:\Program Files\EnterRestore.mhtml	putty.exe
File opened for modification	C:\Program Files\UnblockRegister.DVR	putty.exe
File opened for modification	C:\Program Files\WatchRepair.docm	putty.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	putty.exe
File created	C:\Program Files (x86)\55099c8455099b6c36.lock	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	putty.exe
File opened for modification	C:\Program Files\ClearConvertFrom.avi	putty.exe
File opened for modification	C:\Program Files\SetCheckpoint.ogg	putty.exe
File opened for modification	C:\Program Files\UninstallDebug.vstm	putty.exe
File opened for modification	C:\Program Files\UseSelect.potm	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\55099c8455099b6c36.lock	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\55099c8455099b6c36.lock	putty.exe
File created	C:\Program Files\55099c8455099b6c36.lock	putty.exe
File opened for modification	C:\Program Files\CloseGet.mov	putty.exe
File opened for modification	C:\Program Files\SyncSave.tmp	putty.exe
File opened for modification	C:\Program Files\UnprotectCopy.tmp	putty.exe
File opened for modification	C:\Program Files\UnpublishWrite.contact	putty.exe
File opened for modification	C:\Program Files\UnregisterMerge.dotm	putty.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt	putty.exe
File opened for modification	C:\Program Files\ApproveCompare.ods	putty.exe
File opened for modification	C:\Program Files\CompareComplete.mpeg3	putty.exe
File opened for modification	C:\Program Files\GroupRevoke.zip	putty.exe
File opened for modification	C:\Program Files\SubmitBackup.ttf	putty.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	putty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	putty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	putty.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	putty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	putty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	putty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	putty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	putty.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	putty.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	putty.exe
1956	putty.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: SeBackupPrivilege	288	vssvc.exe
Token: SeRestorePrivilege	288	vssvc.exe
Token: SeAuditPrivilege	288	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2564	1956	putty.exe	30
PID 1956 wrote to memory of 2564	1956	putty.exe	30
PID 1956 wrote to memory of 2564	1956	putty.exe	30
PID 1956 wrote to memory of 2564	1956	putty.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e243f7db92fd297a6c8d2681c2194fa

SHA1
86e4fa35165b313774b659a70e914d2b6938ad97

SHA256
fb7389848cb6ce92d0f471c772af61a7a57deb371b4522942bfd32c6815b82fa

SHA512
7f4d33f99dcf5e6db8e76b73e852a9830f263e4da4c81d00dcff3af41d751170e9a0604150c6849872797e7fcd74b458e02c677bd36f74de0cb50284aa147344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4759e61e0f3c107254c925fdb7f605b

SHA1
ee16f360b9481cf90f6de4430480da14ad081389

SHA256
a182c8530256e14dba38e7b732db830afa9a19bbddbe8f8ca7eaa8355d8c1b8e

SHA512
4ea567240aa6259a7a9337a6918954b381ce80048a1f925a6abaef37f407a4adb5cc3a237d91d65f9928923e2dd1b1aed30cec50a70b69992867e5db2f63b40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13B2.tmp

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13C4.tmp

Filesize
42KB

MD5
211fc8b3a0106643d2a5b60a8403c440

SHA1
345732c62b9778f1986498901d0b22b1ca643664

SHA256
80b0c500aa3a248fff2c4b10436932f7de7d4b0999fd875a1f83b3f524ff0759

SHA512
65e9642139cd0c4e7e838722e5a1371f72d431cfbd129b836d75b44a7116381971e2c71876f5473acf68ed48846aab1d2ba1eb11ab03b22703ad4c881911e9fc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1514849007-2165033493-4114354048-1000\KRAB-DECRYPT.txt

Filesize
8KB

MD5
14a5cbae4240106de3f9855ddc6dc0ed

SHA1
d52828eb7571abf5f1c5767ddee0f4916b06fe56

SHA256
a71f22f095ca733dd3f598fde8f1230955eec5acfb491a6ac5612b2b63ed362c

SHA512
382d7d212182bc10bb15a9a8934eaafe951d449a422a6b8eac9f3f11d91c238bb26e869c99ad0d236c4f50aad1adcfed3bfdef680f5c83e97ad56e6e59145de8

Download Submit
memory/1956-0-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1956-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-1-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1956-951-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-953-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download